User data of Estonian officials across ministries part of 2012 Dropbox leak
The 2012 Dropbox user data leak affected Estonian state officials and politicians. According to the Information System Authority (RIA), they used their work email addresses to open accounts with the file-sharing service, often in combination with weak passwords they used for other services as well.
Daily Eesti Päevaleht wrote on Monday that despite assurances from state officials and politicians that no state secrets had been accessed, their usernames and passwords leaked when file-sharing service Dropbox was hacked in 2012 could have been used to access their files.
According to experts, using services like Dropbox in connection with officials’ work addresses is a bad idea, but not the only issue. Dangers also arise from officials using one and the same password for several different services. This way, one service hacked could mean that whoever gets their hands on the user data could access others as well, those with sensitive information among them.
That Dropbox was hacked, and the access data of more than 68 million users stolen, only became known in autumn this year. In Estonia, 22,409 people were affected.
The cyber security service of Estonia’s Information System Authority (RIA) analyzed the leaked data and now found that state officials were affected as well. They had used their work email to access their Dropbox accounts, and in many cases weak passwords as well.
The list of people and institutions in Estonia affected by the leak is very diverse. Members of rock bands are on it, along with kindergartens, city councils, banks, state authorities, and employees of every single Estonian ministry. This includes the country’s security authorities, as well as the Ministry of the Interior, and the Ministry of Defence.
Politicians’ email addresses are on the list as well, for example that of former Minister of Public Administration Arto Aas (Reform), who in 2012 was a member of the Economic Affairs Committee, and the chairman of the European Union Affairs Committee in the Riigikogu.
According to Aas, he and his colleagues wouldn’t typically share work documents using services like Dropbox, but rather send them as email attachments. Secret documents didn’t move around electronically at all, and on top of that, the Riigikogu’s computer systems were well protected. Aas added that the other leaked accounts, which like his own were opened using Reform Party email addresses, belonged to employees of the party’s office.
Though the theft of Estonian officials’ user data has been confirmed, it seems no one has accessed the accounts yet, though none of the state authorities was aware of the leak either. RIA is currently getting in touch with all the ministries and authorities to make sure they change their passwords.