Dropbox's Big, Bad, Belated Breach Notification69 Million Dropbox Passwords Compromised; Last.fm Reportedly Breached in 2012
To the annals of super-bad historical mega breaches that no one knew about, add a new entry: file-hosting service Dropbox. Separately, music service Last.fm also was reportedly breached badly in 2012, although that has yet to be independently confirmed.
See Also: 7 SIEM Trends to Watch in 2019
On Aug. 27, Dropbox began alerting customers that if they had signed up to the service before mid-2012 but not changed their passwords since mid-2012, then they would be required to do so.
"We recently learned about an old set of Dropbox user credentials (email addresses plus hashed and salted passwords) that we believe were obtained in 2012," Dropbox says on its website, indicating it first heard related rumors in mid-August. Resetting the passwords that it believes may have been exposed "ensures that even if these passwords are cracked, they can't be used to access Dropbox accounts," the alert notes.
Dropbox first learned about that breach in 2012 and issued an alert to users in July of that year, saying it had traced the breach to an employee reusing their corporate password across multiple sites. The company said it added new security features designed to protect against such breaches. But at the time, Dropbox evidently failed to comprehend the true magnitude of the breach and forced relatively few password resets.
What's belatedly come to light, however, is that as a result of that 2012 breach, details for almost 69 million user accounts - including email addresses and hashed passwords - were stolen. The information reportedly began circulating recently on underground forums.
More Historical Mega Breaches
This year has seen a spate of mega breaches belatedly coming to light. Four announced in May came from MySpace - the date of its breach remains unclear, though it's obviously not recent; LinkedIn, which disclosed that its 2012 breach resulted in 165 million passwords being compromised; Tumblr, which warned that 65 million accounts were breached in 2013, prior to its acquisition by Yahoo; and "adult social network" Fling, which said that 41 million accounts were breached in 2011.
On Sept. 1, paid data breach site Leaked Source described yet another old, alleged breach, this one hitting music service Last.fm. Leaked Source claims that the service was hacked in March 2012 and data on 43.6 million users - including usernames, email addresses and passwords - was stolen. While that breach has yet to be independently verified, Leaked Source says that it successfully cracked 96 percent of the site's unsalted passwords, which had been hashed with MD5.
Last.fm didn't immediately respond to a request for comment on that report.
Dropbox Breach: Worse than Believed
Dropbox's Aug. 27 breach alert arrived just a few months after several identity theft services misreported that user data from the site had been leaked (see Dropbox Confident Amidst Breaches).
It turns out, however, that the 2012 Dropbox breach appears to have been much worse than originally believed. Indeed, sometime after Dropbox was hacked in mid-2012, "a large volume of data totaling more than 68 million records was subsequently traded online and included email addresses and salted hashes of passwords, half of them SHA-1, half of them bcrypt," says Troy Hunt, who runs the free Have I Been Pwned? website.
Security experts laud bcrypt as an excellent, purpose-built password-hashing algorithm, but warn that SHA-1 - as well as MD5 - are deprecated and shouldn't be used. Dropbox, to its credit, in recent years appears to have phased out SHA-1 in favor of bcrypt.
Technology news site Motherboard reports that it obtained a sample of the data that hackers allegedly stole from Dropbox, and that it contains details relating to 68.7 million accounts, including email addresses and hashed passwords. It says that an unnamed, senior Dropbox employee confirmed that the information was legitimate.
Dropbox couldn't be immediately reached for comment on that report.
But Hunt says he independently reviewed the data and found it to be authentic. He acknowledges that it contains old passwords set by him and his wife.
That's both my wife's & my unique 20 random character passwords always stored in an encrypted password manager confirmed in the Dropbox data— Troy Hunt (@troyhunt) September 1, 2016
The Dropbox passwords were salted, which refers to the practice of adding data to a password before it gets run through a one-way hashing algorithm, which makes it more difficult for attackers to crack. Whenever users enter their password in the site again, it gets salted and run through the password-hashing algorithm, and if there's a match, then the site knows the password is authentic.
Hunt says that while the passwords are salted, that doesn't mean they were invulnerable. "The risk is they may be cracked, but their password hashing approach means that's only likely with bad passwords," Hunt says via Twitter.
Hunt has added the Dropbox breach to his website's list of the top 10 breaches of all time. It currently holds sixth place, behind breaches of Adobe (152 million accounts exposed), China's Badoo (112 million) and Russian social media site VK (93 million), among others.
Enable Two-Step Verification
Two safeguards against breaches that may happen today, but not be revealed until well into the future, are to use unique passwords for each site - thus blocking attackers from reusing the credentials to log into other sites - as well as to enable two-step authentication whenever possible. The latter means that even if attackers obtain a user's valid password, they can't use it unless they can somehow also obtain, for example, a one-time verification code.
After it was hacked in July 2012, the next month Dropbox introduced two-step verification as a free option for all users. Today, it works via text messages or a mobile app, generating a unique six-digit security code that users must enter to log in. The authentication feature also works with some types of security keys - small USB or near-field communication devices that typically get carried on a keychain and are used as the second step for verification.