Just days after forcing mandatory password resets for some users, it has come to light that Dropbox was indeed breached, with almost 69 million accounts made public, according to independent analysis.
Earlier reports and rumors whispered that more than 60 million usernames and passwords were stolen directly from Dropbox by hackers in 2012—but the online file-sharing service has insisted that no breach occurred. Compromises of accounts that happened back then were a result of password re-use, the company said, and of hackers brute-forcing the accounts using passwords from other breached services, like LinkedIn or MySpace.
In other words, the blame rested squarely with users’ poor password hygiene.
Now though, independent security white hat Troy Hunt, the force behind the Have I Been Pwned? searchable database of compromised data, said that he’s verified that a large, wide-ranging attack began in mid-2012, resulting in the heist and leaking of 68,648,009 Dropbox account credentials online.
Hunt verified the breach using a known Dropbox account (his wife’s). She uses a password manager and had a strong, random, 20-character password that was unique to the service. A quick matching and hashing process revealed that password to be available online.
“This isn’t ‘cracking’ in the traditional sense because I'm not trying to guess what her password was, rather it's a confirmation that her record in Dropbox is the hash of her very strong, very unique never-used-anywhere-else password,” he explained in a post. “There is no doubt whatsoever that the data breach contains legitimate Dropbox passwords, you simply can't fabricate this sort of thing.”
A few days ago, Dropbox emailed those that had been using its service since at least 2012 to notify them of a mandatory password reset, as “a preventative measure.” Half of the account passwords were secured by bcrypt and are unlikely to be easily cracked, but others were secured by the outdated and brute-force-ready SHA-1.
“[My wife’s] password was never going to be cracked,” said Hunt. “Not only was the password itself solid, but the bcrypt hashing algorithm protecting it is very resilient to cracking and frankly, all but the worst possible password choices are going to remain secure even with the breach now out in the public.”
Hunt congratulated the service on being proactive, and other researchers concur. "Dropbox began taking proactive action to protect their users nearly a week before information about this leak became public,” Josh Feinblum, vice president of information security at Rapid7, said via email. “Their customer-first approach was refreshing and likely mitigated a great deal of risk to their users. Their response to a challenging event is a great model for other cloud companies to follow if faced with a similar situation. It's our belief that the open dialogue about security that companies like Dropbox are promoting about risk, mitigation, and action will help to strengthen the security and technology communities."
Ed Macnair, CEO at CensorNet, added that the incident should be a warning to those that use online services to take precautions, like enabling two-factor authentication.
"What’s concerning about this breach is the fact that Dropbox is a prime candidate for shadow IT,” he said in an emailed note. “Need to finish an urgent piece of work at home? Just upload it to Dropbox and you’re set—no need to tell IT. While there’s some clear benefits to letting employees do this, there are also some major drawbacks—60 million account details somewhere on the internet being one.”
Photo © 360b/Shutterstock.com