How Secure Is Dropbox? User Accounts Hacked, Email Addresses Leaked

If you are a Dropbox user, it might be a good time to change your password. Dropbox is confirming that a number of user accounts were hacked recently, including an employee account that contained a document that included a list of user email addresses, according to AllThingsD. The hack led to a large spam attack on a number of Dropbox users.

Dropbox has since contacted those users to let them know about the hack and stolen email addresses. The cloud storage company has also taken measures to beef up their security, including requiring two forms of identification when signing in as well as a few user and company generated ways to monitor suspicious activity.

Looking for a more secure way to share your files? Most companies that provide both online backup and cloud storage, such as SugarSync and Mozy, provide additional levels of encryption because of their backup services. SpiderOak actually triple encrypts your files upon backup, but they also have a true zero-knowledge password and data policy. Plus, big names like Dropbox and Google Drive are a target for hackers because they are so popular, where some of the more reliable, lesser-known cloud storage names can fly under the radar of hackers.

In addition, many of the online backup/cloud storage services offer more features. SugarSync gives free storage (5 GB instead of just the 2 GB that Dropbox offers), but users can also get their affordable paid plan, which comes to $4.17/month with the annual plan, and back up their entire computer. Not only will you have the convenience of online file access and computer syncing, but your computer, or multiple computers, will be fully backed up online in case of emergencies like a crash or theft.

To check out all of the cloud storage services that we review and find one that fits your needs, check out our compare page here.

• Tweet

Connecticut sues Health Net for data breach

Connecticut Attorney General Richard Blumenthal has filed a lawsuit against Health Net for HIPPA violations in the wake of a data breach. Last May, Health Net discovered that a portable disk drive containing confidential health information, Social Security numbers, and bank account numbers of nearly half a million past and present enrollees had disappeared. The data was not encrypted, and the company did not begin notifying those whose data had been compromised until November 30.

Blumenthal is civil penalties, which are limited to a maximum of $1.5 million per year, as well as a court order that would require Health Net to encrypt any personal health information contained on a portable electronic device. In a written statement, Blumenthal said, "The staggering scope of the data loss, and deliberate delay in disclosure, are legally actionable and ethically unacceptable. Even more alarming than the breach, Health Net downplayed and dismissed the danger to patients and consumers."

Health Net has offered two years of free credit monitoring and $1 million of identity theft insurance to affected members, and has promised additional assistance to anyone who does become an identity theft victim as a result of the breach.

Medical identity theft is a growing concern. One way to protect yourself is to invest in an identity theft protection service like TrustedID, which monitors for medical identity theft as well as financial identity theft. To learn more about TrustedID and other identity theft protection services, see our reviews and comparison chart.

• Tweet

Data Breach Alert: Facebook application developer RockYou failed to protect data

RockYou is a company that develops applications for Facebook, MySpace, and a number of other popular social networking websites. It's the second biggest application developer for Facebook after Zynga, which recently made headlines for its "scammy" offers. Last month, RockYou fell victim to an SQL injection attack, in which a hacker or hackers successfully accessed a database containing email addresses and passwords for over 30 million users. Last week, RockYou was hit with a class action lawsuit, alleging that RockYou "recklessly and knowingly failed to take even the most basic steps to protect its users' personally identifiable information by leaving data entirely unencrypted and available for any person with a basic set of hacking skills."

Login data for a social networking application may seem like a trivial data breach, but it becomes a more serious matter when one considers the frequency with which the same password is reused for several online accounts. If someone gets into your RockYou account, the consequences will probably be minimal, but that same stolen data could be used to access your personal email or online banking accounts.

We've said it before and we'll surely be compelled to say it many, many more times, but: don't use the same password for multiple online accounts! It's a terrible habit that compromises your security and identity. And think carefully about whether applications on Facebook and other social networking sites are really worth the risk of viruses and identity theft.

Be sure to install Internet security software, and set it to update automatically. And consider investing in identity theft protection.

• Tweet

Data breaches are like mice, or cockroaches

Why are data breaches like mice or cockroaches? Because for every one that you see, there are hundreds or even thousands that you don't see.

According to the FBI's top Internet crimes investigator, the public only knows about a handful of the thousands of data breaches investigated by the FBI. Because companies that suffer from data breaches fear bad publicity, they often fail to report the crime to the FBI, or wait so long that it becomes nearly impossible to track down evidence. When data theft goes unreported, the hackers are free to continue targeting more companies. And since large companies have finally begun to strengthen their data security, hackers have responded by targeting smaller companies that have fewer resources to prevent cybercrime. Since these breaches are smaller, they are less likely to be reported by the press.

If your data is compromised in a large and public data breach, you may be offered a year or two of free credit monitoring or identity theft protection. But if your Social Security data or bank account information is stolen from a small company, you may never even know. In fact, the small company itself may not become aware of the breach for months or years. To proactively safeguard your own identity, consider investing in credit report monitoring or identity theft protection before your data falls into the wrong hands.

• Tweet

Data Breach Alert: Social Security numbers printed on postcards

Last week, the Universal American Action Network, a subsidiary of Universal American Insurance, sent 80,000 postcards to Medicare participants throughout the country. On these postcards, printed above the recipients' names, were their Social Security numbers.

The mistake occurred because Social Security numbers are often used as Medicare account numbers. The Universal American Action Network responded by firing the vendor responsible for the mailing, and offering one year of free credit monitoring to the Medicare members whose Social Security numbers have been compromised.

As important as it is to safeguard your sensitive personal data, particularly your Social Security number, there's just no way of guaranteeing that large organizations treat this data responsibly. Once your data has been compromised by a single careless mistake, your identity is at risk. Credit report monitoring is one way to mitigate this risk. For more comprehensive prevention and detection, you might consider investing in an identity theft protection service.

• Tweet

Don't throw confidential documents out a window

New Yorkers were very excited about the Yankee's World Series win last week. So excited, in fact, that when they couldn't find any confetti during the victory parade on Friday, they began tossing miscellaneous paperwork out the window. That miscellaneous paperwork included a wealth of confidential information.

Pay stubs, balance sheets, and client account information were all dumped into the street. The client account information came from the window of Liberty Street financial firm A.L. Sarroff, and included Social Security numbers.

Documents containing sensitive personal information or confidential company data should be shredded before they are disgarded. Conscientious handling of your own personal information is one way to avoid identity theft. But since you never know when an overenthusiastic Yankees fan might fling your Social Security number out of an office window, consider investing in an identity theft protection service.

• Tweet

Second PayChoice breach in one month

Earlier this month, PayChoice, a payroll processing firm, was breached by hackers. Last week, PayChoice was hacked yet again. The last hack was unusually complex, involving a data breach, phishing emails, malicious websites, and a Trojan horse. The latest attack hinged on a security vulnerability in PayChoice's online portal, OnlineEmployer.com. It appears as though hackers have exploited this vulnerability in order to steal customers' usernames and passwords. The stolen credentials were then used to add fictitious employees to customers' payrolls, in an attempt to have recurring payments made to fraudulent bank accounts.

PayChoice is a leader in the payroll services and software industry, with over 125,000 business customers. It shouldn't come as a surprise that hackers have targeted a company that facilitates so many financial transactions. But what is surprising is the hackers' persistance and creativity.

To defend yourself from cybercriminals, be sure to install Internet security software, and set it to update automatically. Since the end goal of the most nefarious attacks is usually the theft of personal information that can be used to open fraudulent accounts, you might also consider investing in identity theft protection, which is designed to prevent fraudulent accounts from being opened in your name.

• Tweet

Phishers target PayChoice customers

Hackers recently breached the online systems of PayChoice, a payroll processing firm. Shortly after the hackers accessed customer account information, including email addresses, login IDs, and partial passwords, PayChoice customers began receiving targeted phishing emails prompting them to download a plug-in. The emails, which  addressed recipients by name and referenced their usernames and passwords, explained that the plug-in was necessary for continued access to PayChoice's online payroll service at OnlineEmployer.com. But the download was actually malicious software designed to steal even more account information. The phishing emails also included links to malicious websites, which would attempt to exploit vulnerabilities in Internet Explorer, Adobe Flash, and Adobe Reader to install even more malware. Unlucky victims wound up with a Trojan horse program that attempted to download even more malware and disable security software. This particular Trojan horse slips under the radar of many anti-virus scanners. Security experts believe that this attack was primarily designed to steal online banking credentials.

PayChoice is still investigating the extent of this unusually complex attack. A data breach, phishing emails, malicious websites, and numerous malicious applications including a Trojan horse. All with the likely end goal of identity theft.

How can you defend yourself against such sophisticated hackers? The best course of action is to be wary when clicking on links or downloading files, to keep your browser and Internet security software updated, and to invest in identity theft protection.

• Tweet

How medical data breaches happen

For the past three years, Tennessee doctors have been faxing patient information, including Social Security numbers and medical histories, to Bill Keith, an Indiana businessman whose fax number is similar to that of the disability determination section of the Tennessee Department of Human Services. Keith, who shreds the faxes, has contacted doctors, state officials, and even the governor's office, but the they keep coming, at a rate of five or more per week. This past Friday, the Tennessee Department of Human Services began contacting doctor's offices to inform them of the breach and request that they correct the fax number. Naturally, many doctors were concerned, to say the least, when they were told that they'd been faxing confidential patient information to the wrong number for years.

Identity theft expert Robert Siciliano blogged about the dangers of medical identity theft earlier this week. He described a new rule requiring health care providers to notify patients of any breaches of their medical information. But the fact is, many health care providers don't even realize when a breach has occurred, and in this case, continues to occur on a daily basis.

TrustedID, one of the identity theft protection services reviewed on NextAdvisor.com, monitors your medical records in order to detect medical identity theft. To learn more about TrustedID and other identity theft protection services, see our reviews and comparison chart.

• Tweet

163,000 Social Security numbers compromised in UNC data breach

In July, a University of North Carolina researcher was unable to access a server containing information pertaining to a federally funded mammography study. That information included records on a total of 236,000 women, and Social Security numbers for about 163,000 of those women. Further investigation revealed that the system had been hacked as long ago as 2007. This past Friday, UNC began to notify the 163,000 women whose Social Security numbers were exposed. The delay occurred due to the need to investigate the extent of the compromise and determine which participants were affected.

Imagine being told that hackers have had access to your Social Security number for the past two years. Two years is more than enough time for an identity thief to open new credit accounts in your name, max them out with charges, and move on to the next victim. Meanwhile, unless you check your credit report regularly or subscribe to an identity theft protection service, you might be blissfully unaware of the debt that "you" have accumulated. At least, until you are denied a loan for a new house or car, or collection agents begin banging on your door. It's important that data breach victims be notified in a timely manner, but sometimes, as in this case, the breach isn't discovered until years later. The only way to immediately informed about any new, potentially fraudulent lines of credit in your name is to invest in credit monitoring or identity theft protection. A credit report monitoring service will alert you to any chances in your credit file, which will allow you to take action in response to any suspicious activity. An identity theft protection service will go beyond this basic level of protection to help prevent, detect and, if necessary, resolve cases of identity theft.

To learn more, see our reviews and comparison charts for credit report monitoring and identity theft protection services.

• Tweet