2012 Dropbox Hack Far Worse Than Feared
A 2012 hacking incident has turned out to be far worse than initially believed. It turns out that the theft of more than 60 million account details also included passwords.
Online storage company Dropbox admitted to the breach at the time, but only said a list of email addresses of customers had been stolen. It either didn't know or didn't say that passwords were also compromised.
The incident was particularly embarrassing at the time, as the hack proved simple thanks to a Dropbox employee's poor lack of judgement. The employee's LinkedIn password had been stolen as part of a breach at that site, which hackers then correctly used to access on Dropbox. To make things worse, that same employee used Dropbox to store a document with a list of 68,680,741 Dropbox customer emails. (Source: vice.com)
Passwords Also Stolen
It's now emerged that Dropbox may have been particularly careful about the way it explained the breach. While it was technically true that only the email addresses were directly exposed to the hackers, it's now clear they were also able to retrieve customer passwords. However - unlike the email addresses, the passwords were encrypted.
This element of the breach only came to light this week when files appeared on a darknet site used by hackers and criminals. A darknet site is an Internet site that's not directly accessible in a normal web browser without first installing special software.
The good news is that it's unlikely anyone will be able to access the passwords themselves. Around half were encrypted with a secure hash algorithm, a process which makes it extremely time-consuming to crack and decrypt passwords. The rest used a less effective form of hashing, but did also include salt, in which random data is added as part of the encryption process to make decryption more difficult.
Site Resets Unchanged Details
It's not entirely clear when Dropbox management knew that passwords were part of the data stolen in 2012. Last week it carried out a mandatory reset of any account passwords that have not been changed since that time.
In a deeply ironic warning, Dropbox added that "affected users who may have reused their password on other sites should take steps to protect themselves on those sites." (Source: cnet.com)
What's Your Opinion?
If Dropbox knew passwords had been stolen, should they have revealed this? Does it make any difference that the passwords were encrypted? What measures do you take to protect yourself from such massive site breaches?
My name is Dennis Faas and I am a senior systems administrator and IT technical analyst specializing in cyber crimes (sextortion / blackmail / tech support scams) with over 30 years experience; I also run this website! If you need technical assistance , I can help. Click here to email me now; optionally, you can review my resume here. You can also read how I can fix your computer over the Internet (also includes user reviews).
We are BBB Accredited
We are BBB accredited (A+ rating), celebrating 21 years of excellence! Click to view our rating on the BBB.
Comments
Method for keeping passwords
I have an alphabetical Address Book for keepng favorite links, web sites and passwords.
Usually I invent new passwords so as not to use the same password on more than one site.
I find it easy to use pencil so I can rub out old passwords when they are changed.
If I want to file a site under more than one letter of the alphabet, the second entry dose not include the password and instead is labled "see X" where X refers to where the first entry is made. This simple method ensures passwords only require updating in one place.