Attacks/Breaches

8/31/2016
05:40 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Intruders Pilfered Over 68 Million Passwords In 2012 Dropbox Breach

But all passwords were hashed and salted and no evidence they have been misused, company says.

Reports this week that as many as 68 million email addresses and passwords were leaked online as the result of a 2012 breach of Dropbox has grabbed wide attention for its sheer scope. But the fact that all of the passwords were hashed and salted makes the incident less severe for users than it otherwise might have been.

In a seemingly routine email, Dropbox last week said that users who had signed up for the service prior to 2012 and had not changed their password since then would be prompted to reset it when they next attempted to sign in.

It also encouraged individuals who used their Dropbox password to log into other sites to change passwords to those sites as well, and recommended that they enable two-factor authentication as an additional security measure for protecting access to their accounts.

The company described the move to proactive reset user passwords as a purely preventive measure and not because there was any indication of accounts being breached. “Our security teams are always watching out for new threats to our users,” said Patrick Heim, head of trust and security at Dropbox in the email.

As part of these efforts, the company learned about a set of email addresses, together with hashed and salted passwords, that were illegally obtained in a 2012 security incident and subsequently leaked online.

“Based on our threat monitoring and the way we secure passwords, we don’t believe that any accounts have been improperly accessed,” Heim said. In comments to Motherboard, he said Dropbox initiated the reset to ensure that passwords from prior to 2012 cannot be used to access user accounts. Motherboard, which examined the leaked data, said about half of the passwords appear to have been hashed using the bcrypt hashing function, and the rest were protected via SHA-1.

Dropbox had originally described the 2012 security incident as one in which someone had used a stolen password to access an employee account that contained a document with user email addresses. At the time, Dropbox had said the incident only involved a small number of email addresses.

This week’s sudden broadening scope of the breach triggered many familiar recommendations from security experts on what users need to be doing to mitigate fallout from breaches like this.

“This has become a common enough occurrence that people should be taking all of the most common precautions with their user accounts and passwords when using online services,” said Nathan Wenzler, principal security architect at independent security consulting firm AsTech Consulting in a statement.

Breaches like this show why it is important for users never to reuse passwords across sites and to ensure passwords are long enough and complex enough to make them difficult to guess via brute force methods.

“There's a reason why companies have their employees change their passwords regularly. Employ the same practice for your personal accounts and credentials, too,” he said.

The breach is an important reminder why passwords alone are no longer sufficient as a form of user authentication said Ryan Disraeli, co-founder and vice president of mobile identity company TeleSign.  

“Dropbox appeared to practice good user data security protections, encrypting the passwords and updating the encryption standards.” But as the breach shows, even when good protections are used, passwords alone cannot provide enough protection, he said in a statement.

Meanwhile, DropBox’s failure so far to disclose why it took the company more than four years to discover the true scope of the breach drew criticism from some quarters.

The fact that user accounts taken in an incident in 2012 are only now coming to light is significant, said Chris Roberts, chief security architect at advanced threat detection vendor Acalvio.

It would interesting to know why Dropbox didn’t do more to determine the true scope of the 2012 intrusion until someone actually leaked the hacked accounts, he said in a statement. “It would be good to work out or understand why Dropbox didn't put its hand up and admit the issue back in 2012.”

Related Content:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
lorraine89
50%
50%
lorraine89,
User Rank: Ninja
9/22/2016 | 10:15:16 AM
Dropbox hack
It's just baffling to me that how come companies of such stature and size can become the victim of hacks, what bugs me is that end user is at risk all the time. Risk of information leak lingers over our heads. I use encryption mehtods, file folders password locking method, deploying VPN method, purevpn is the server I use to secure my connection and especially while carrying out banking and other financial transactions to keep my passwords and account secure. 
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
8/31/2016 | 7:58:46 PM
It would be good to work out or understand why Dropbox didn't put its hand up and admit the issue back in 2012.
Begs the question was dropbox aware of the security incident at the time or did they only start doing forensics work when the accounts were leaked?
Crowdsourced vs. Traditional Pen Testing
Alex Haynes, Chief Information Security Officer, CDL,  3/19/2019
BEC Scammer Pleads Guilty
Dark Reading Staff 3/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Well, at least it isn't Mobby Dick!
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
The State of Cyber Security Incident Response
The State of Cyber Security Incident Response
Organizations are responding to new threats with new processes for detecting and mitigating them. Here's a look at how the discipline of incident response is evolving.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-9923
PUBLISHED: 2019-03-22
pax_decode_header in sparse.c in GNU Tar before 1.32 had a NULL pointer dereference when parsing certain archives that have malformed extended headers.
CVE-2019-9924
PUBLISHED: 2019-03-22
rbash in Bash before 4.4-beta2 did not prevent the shell user from modifying BASH_CMDS, thus allowing the user to execute any command with the permissions of the shell.
CVE-2019-9925
PUBLISHED: 2019-03-22
S-CMS PHP v1.0 has XSS in 4.edu.php via the S_id parameter.
CVE-2019-9927
PUBLISHED: 2019-03-22
Caret before 2019-02-22 allows Remote Code Execution.
CVE-2019-9936
PUBLISHED: 2019-03-22
In SQLite 3.27.2, running fts5 prefix queries inside a transaction could trigger a heap-based buffer over-read in fts5HashEntrySort in sqlite3.c, which may lead to an information leak. This is related to ext/fts5/fts5_hash.c.