back to article Dropbox: Leaked DB of 68 million account passwords is real

A leaked database purported to contain login information for 68 million Dropbox accounts is the real deal. The cloud biz confirmed the authenticity of the records to The Register, with independent verification from IT security guru Troy Hunt. The archive, which is being shared online, contains Dropbox user IDs and hashed …

  1. Sebastian A

    And *this* is why you properly salt your hashed passwords. I'm talking to you, LinkedIn, MySpace, etc etc.

    1. Destroy All Monsters Silver badge

      But you then also have to go out and tell the world immeditately about the breach.

      How LinkedIn’s password sloppiness hurts us all

      Examining the breach, LinkedIn didn’t have very much of an insurance policy. It was employing raw SHA1 for password hashing, but perhaps even worse is the fact that the company never even attempted to cash in on it. Back in, 2012 they failed to identify and acknowledge the breach in a timely fashion, and when they eventually did, they apparently only forced a password reset for the accounts belonging to the initial 6.4 million hashes. The evidence suggests that the remaining 165 million accounts were allowed to use those same compromised passwords.

      That’s not the way this should work. When you suspect a password database has been compromised, even just in part, you cash in on that insurance policy immediately by activating your incident response team and your public relations team. Companies ideally should notify the general public and users in an expedited manner, forcing a password reset for all users as soon as the breach is contained and the threat has been eradicated. By the time LinkedIn made a statement about the breach, by contrast, I already had 70 percent of the passwords cracked. Every moment LinkedIn hesitated was potentially devastating for its users. And for the love of god, do not try to downplay the incident by saying something stupid like “Most of the passwords on the list appear to remain hashed and hard to decode." Instead, companies should just acknowledge the plain and simple fact that if password hashes have been accessed, users are at real and measurable risk of account takeovers.

    2. The Man Who Fell To Earth Silver badge
      Stop

      local encryption

      This is why, as Rob Joyce (head of NSA's Tailored Access Operations (TAO) hacking team) said at the Usenix’s Enigma conference in January 2016, you need to think twice before relying on a Cloud provider's security.

      Use a wrapper like nCrypted Cloud to transparently locally encrypt/decrypt everything before it goes into your Dropbox/Google Drive/....

  2. Destroy All Monsters Silver badge
    Headmaster

    Ummm

    the attacker would need the salts to decrypt the hashes

    That is not like hashes work.

    I am also not sure the attacker "would need the salts". Generally they are right next byte to the hash, possibly after or before a separator...

    1. a_a

      Re: Ummm

      Exactly what I was thinking, the salts will be somewhere in the user database record and are added to the password to prevent rainbow table attacks.

    2. Ben Tasker

      Re: Ummm

      > I am also not sure the attacker "would need the salts". Generally they are right next byte to the hash, possibly after or before a separator...

      Absolutely correct - with bcrypt the salt is stored within the "hash", along with the cost used and the resulting cipher text. The cost and salt get split out of the stored string when testing a submitted password.

  3. Anonymous Coward
    Anonymous Coward

    Salt with your phish?

    60 million?

    So no biggie then....

  4. wolfetone Silver badge

    *slow hand clap*

    Well bloody done Dropbox. It's good to see you're addressing the problem, it's only taken 4 years.

    1. Ben Tasker

      I emailed them back in 2012/2013 to ask if they'd been compromised because the alias I'd used for them started receiving spam. They said no

      Feeling a little vindicated now

  5. Zippy's Sausage Factory
    Trollface

    Good luck compromising my Dropbox

    Given that I deleted it when they appointed noted privacy campaigner and pacifist Condoleeza Rice to the board...

  6. Anonymous Coward
    Anonymous Coward

    4 years?

    I got a mail at the weekend which mentions 2012, but it had no explanation for the delay in sending it.

    No news reports seem to have any kind of justification either.

    Given that bashing a password database these days can be measured in 'attempts per millisecond,' why has it taken more than 126 billion milliseconds for it to come out?

    This is one of the areas where government legislation would be welcome.

    - Minimum requirements for password security and data storage, heavy fines for non-compliance.

    - Breaches must be reported within hours, rather than days / weeks / years. Massive fines for non-compliance.

    - No possibility of just claiming that their systems are safe in their advertising blurb - actual real audits should take place and evidence should be provided on a regular basis to ensure companies are keeping ahead.

    I get that it's the way the world works, there will always be hacks and it will always be a challenge to stay ahead, but there is no justification for keeping quiet for so long.

    1. Seajay#

      Re: 4 years?

      This is one of the areas where government legislation would be welcome.

      Maybe, but I don't think legislating minimum security requirements is the way to go. That will lead to some services saying "Well we meet the government security standards because we're salting our hashes" and stopping there when actually there may be all sorts of application-specific side channels that are much bigger risks.

      Equally, how about something like https://mailinator.com/? How would your legal security standards apply to something which was insecure by design?

      What you could do I suppose would be to add a requirement to data protection laws that users be informed of any possible loss of their data. That would be genuinely useful and is tech independent so wouldn't immediately become out of date.

  7. Hollerithevo

    Easy way to say goodbye

    I had to set up a Dropbox account when working with a client who wouldn't use my preferred big file exchange service. It's been gathering dust every since. Now Dropbox will sort this out for me. Win!

  8. Dr Who

    Can someone explain

    How did Troy Hunt verify the leaked data by encrypting his own password with bcrypt and comparing it against the leaked hash when he would have had no idea what salt Dropbox had used for his user account? Or did the leak include the salts?

    1. Ben Tasker

      Re: Can someone explain

      With bcrypt, the salt is stored in the "hash". The output of bcrypt is essentially a string containing the actual hash - in effect ${cost}${salt}${hash} - so if you've got the bcrypt "hash" you've got everything you need except the real password.

      But that's fine, because a salt isn't intended to be secret, it's intended to make it more expensive for an attacker to try and bruteforce hashes

    2. groovyf

      Re: Can someone explain

      Interesting blog post here: https://www.troyhunt.com/the-dropbox-hack-is-real

  9. Anonymous Coward
    Anonymous Coward

    Troy Hunt

    Sounds quite appropriate for a security researcher - hunting for trojans... did he change his name to suit his job or is this a case of real name + nominative determinism?

  10. Rgl

    What I don't get...

    Like, how this is a LinkedIn breach when I'm not on LinkedIn, and according to haveibeenpwned my dropbox account is included in this. It looks more like a Dropbox employee was hacked on the basis of the LinkedIn breach, and that let the hackers far enough into Dropbox's systems in order to download the complete password file. Like the language Dropbox are using seems deliberately vague, as if they're avoiding saying something, that something being "we were hacked as a result of an employee getting hacked via the LinkedIn breach and using the same password for their corporate login". Am I wrong? Or how else have my account details gotten out there? Note, I'm using unique passwords for all important services. It just looks to me like they're trying to say the minimum possible about how complicit they are, yet cover their arses legally.

    1. This post has been deleted by its author

  11. 0laf

    Hmmm

    Well one of my addresses was in the dump and I wasn't prompted by Dropbox to change my password when I logged in.

  12. Anonymous Coward
    Anonymous Coward

    1980's flashback

    "2.21 GB"

    I briefly mis-read that as "1.21 GW" ...

    ...yeah yeah, getting my coat already.

  13. Richard Wharram

    Meh

    If the salt is complex enough then a leak doesn't matter. That's the whole point. It shows that the company's security needs work but they won't get your password.

  14. gmhyman

    password change doesn't help if someone's broken in

    So - I changed my password, and all my various devices still had access to my dropbox data. Contacted support and got a rather condescending lecture about how their security system was based on "tokens" and not password. This is utter BS - yes, you keep a token (aka cookie) to store credentials, but any decent system can revoke credentials from the server - and that's exactly what should have happened. Bottom line - if the bad guys had already gotten into your dropbox data, they're still there even though you changed your password. It only helps on new connections to dropbox. You can, of course, manually "unlink" each device, but I'd wager a very small percentage of users even know about this. Besides - if I can unlink manually, why didn't dropbox do a full unlink when they forced me to change the password? Obviously they care far more about the "optics" than about real security.

  15. TeacherMARK

    Head in the cloud?

    Anyone who commits anything of value to a computer in the sky deserves to be hacked and exposed. It's just amazing that so many millions of dummys thought that this was ever a good idea!

  16. Anonymous South African Coward Bronze badge

    derp durr again

  17. PaulR79
    Thumb Down

    I wondered when this would happen

    Like others I received an email telling me that my password hadn't changed in a while and that I should change it. The first thought I had was to look for news of a leak since that seems to be the only time I ever get prompts to 'update' my password. I did change my password but this just confirms what I thought.

  18. fidodogbreath

    Job done

    Enter current password: password1

    Enter new password: password2

    Confirm new password: password2

    [ OK ]

    All secure again.

  19. Anonymous Coward
    Anonymous Coward

    woohoo!

    haveibeenpwned.com makes me happy deep inside. Previously I had wondered if I'd deleted that LinkedIn account before the breach but now I know that it was definitely compromised. And knowing is half the battle! I must have deleted all the account management messages from that old mailbox because it was no help when I was still trying to find out when and whether etc.

    So this time the only question was "did I screw up and reuse a password anywhere, ever" but checking an old Firefox profile shows that I did save the password on linkedin.com, and the password was one of several placeholders I use now and again when I really, really don't care. I guess I just never had much faith in LinkedIn's usefulness... anyway, I certainly reused it many times but always for inconsequential situations and it's stupidly vulnerable to a dictionary attack anyway. So, I don't care. At worst, I later used one of those memorable keyboard patterns and decided not to update the saved login in FF-- a potential unknown but I don't use those on web accounts since forever.

    Thanks HIBP

  20. Jeffrey Nonken

    Weird. Why can't I reach haveibeenpwnd with my VPN active?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like