UPDATED for 2022:I switched to Backblaze because they claimed to offer unlimited data. But they won’t let you backup anything in certain commonly used directories. If some of your programs store data in \program files\ or \program files (x86)\ or any of many other locations, you’re SOL if/when you need to restore. Had I known that 4+ years ago when I first wrote this, I wouldn’t have used Backblaze.
The one time I needed a backup of something, Backblaze didn’t have it.
Furthermore, you can’t add files to your backup, and you can’t remove their hardcoded draconian backup exclusions. For me, this is a non-starter. What’s the point of paying somebody for “unlimited data” backup with hard limits that make it close to useless? On to our previously scheduled program.
Oh Yeah. iDrive Doesn’t Care About Security
I’ve mentioned before how I’m able to act as a canary in the email-database coal mine. …And how companies often don’t take my free, valuable chirps seriously. It happened again.
The unique email address I use to access iDrive started receiving spam in February 2018. It wasn’t just any spam; these sophisticated phishing emails were sent to an email address only iDrive had, and also contained my username/login.
I contacted Drive about a breach, they blew me off.
Then they blew me off again. More accurately, they gave me plenty of lip service, denial, and smoke far up my ass. (All the while admitting other people had contacted them regarding the phishing). This continued for several calls over several weeks. Until I posted publicly on twitter.
iDrive CEO Raghu Kulkarni promptly contacted me.
We talked about the difference between companies reacting appropriately to breaches:
twitter had just announced a big breach and contacted millions upon millions of users asking them to change their passwords
…and companies reacting poorly:
idrive trying to convince a whistle-blower there wasn’t a breach, despite hard evidence. (How does one prove a negative, anyhow?)
In exchange for deleting my tweet, Mr. Kulkarni agreed to set up a crisis communications plan. Within a week’s time, he promised to get all levels of iDrive customer support on board with an appropriate response, should a similar problem arise in the future.
More lip service
Weeks later a friend who signed up for iDrive because of my recommendation contacted them regarding the phishing attempt. He received the same brush-off I did.
iDrive does not take data security seriously.
I only have evidence of a third party accessing email addresses and usernames. Did they also gain access to other allegedly secure bits? I don’t know. Probably not. All the more reason to just react appropriately, and send an email warning customers that somebody gained access to a subset of clients’ usernames and email addresses. …With a little note about how to avoid sophisticated phishing attempts. …Phishing they have hard evidence of. iDrive doesn’t want to do this, clearly.
How did this iDrive breach happen?
Maybe an employee had this info on their laptop or PC, which was then infected with malware. The malware shared the data.
Maybe a former or current employee sold the data to spammers or used it for personal gain?
Maybe it was a good old fashioned breach by some 1990s movie-style hackers.
I can tell you one thing for sure; as in many cases, nobody seems to know. I don’t know how it happened. iDrive won’t even admit there was a breach. What we do know is that iDrive would rather brush evidence of a minor breach under the rug than address it properly.
What would iDrive do after a more serious breach?
I don’t trust them with my data anymore. I’m looking for a new data backup provider. I’ve been with iDrive for years. I really wanted them to do the right thing so I could stay with them. Alas, I don’t trust them, now.
Screenshots of both phishing spams I received are included below. I can only assume the spam continued for others; I set my iDrive email address to return a server error upon message receipt, so I can’t tell you. Spam sucks. So do companies that don’t take security seriously.
Idrive vs. Backblaze
Happy to be done with iDrive. Backblaze was easier to use, but their misleading claims of backing everything up make them a bad option for most people. I’d be happy to join a class action against them.
Dan Dreifort consults on SEO, UX, and sometimes crawls out of the woodwork to opine on infosec, too, it would seem. His band SynthBandDotCom is an intentional trainwreck, sometimes.
12 thoughts on “iDrive security breach. Backblaze not much better.”
Perhaps noteworthy: iDrive knew about this phishing the day it first happened. I emailed them about it on 2/12/18 and didn’t get a response. After the second phishing spam, I opened a ticket with them on 3/6/18. A week later, I still hadn’t heard from them.
iDrive does NOT take security seriously.
I was going to sign up for IDrive this week. I find backup systems and software inscrutable to use. But nonsense if backup data is at risk.
Do you recommend another backup service? Or whose opinion I should trust. Most of the reviews I’ve read so far have IDrive at top of the list
As soon as I find something with the good UX of idrive but with ostensibly better security and customer communications, I’ll be sure to update this post. Until then, it’s a crapshoot of sacrifices. Good luck!
I’ve tried wifi network drives – with disappointment in Seagate GoFlex and Western Digital – My Cloud. Do you have an alternate method of backup – software, backup destination?
I’m going to look into Google and a couple other options but I’ve been complacent with my idrive frustration and haven’t made much progress in the past few months.
I just switched to backblaze. $60 for unlimited backup space for on PC. Easy choice.
I am not at all surprised. If you are using IDrive web portal, after logging on, their load balancer pegs you to your external IP address. This is the laziest way to maintain a session state. I have redundancy in my network using two different ISPs. As a result my external IP address keeps changing based upon which route my router decides to send me through. Since IDrive site pegs my session to my external IP address, I get logged off if the router sends the packet using different IP. I reported this issue several days back. Instead of fixing the issue properly, they sent this BS response today, ” Please note that due to security concern, same session wont be carried on the different IP’s, the session will logout when IP address switches.”
Yup. Nothing could convince me to trust that company with any reasonable level of security best practices at this point.
This isn’t iDrive security breach. This is phishing Attack you by a hacker. If security is paramount to you, IDrive gives you the option to create a private key for encryption, which makes it a zero-knowledge cloud backup service. So IDrive is a secure service.
Did you read the article? I use a different unique email address for every vendor. Only iDrive knew that this particular email address even existed. It is never used anywhere else. Yes, it was a phishing attack but it is also evidence of a breach. How did the sender know that that email address existed and was tied to an iDrive account? The phishing attack was sent to the email address I only use with iDrive and included my name. Clearly either iDrive sold my information or they suffered a breach.
Does that make sense?
Furthermore, in the comments above I note that iDrive admits that they were aware of the breach. They don’t even deny it.