Ride the Lightning

Cybersecurity and Future of Law Practice Blog
by Sharon D. Nelson Esq., President of Sensei Enterprises, Inc.

2012 Dropbox Hack Results in More Than 68 Million User Credentials Being Exposed

September 6, 2016

So how much damage can a hack from 2012 do? Potentially, quite a bit. As Wired noted, people so often reuse passwords, or use passwords easy to guess based on a theme, hackers can and do benefit greatly from the revelation of old passwords, even if they are four years old.

The hack of Dropbox in 2012 has now resulted in the exposure of 68 million user credentials. In late August, Dropbox announced that it had performed a mass account reset and would prompt users who hadn't changed their passwords since mid-2012 to do so. The company wrote, "Our security teams are always watching out for new threats to our users. As part of these ongoing efforts, we learned about an old set of Dropbox user credentials (email addresses plus hashed and salted passwords) that we believe was obtained in 2012. Our analysis suggests that the credentials relate to an incident we disclosed around that time."

In 2012 Dropbox had said that spammers were using credentials obtained in breaches of other websites to access some Dropbox accounts. The company added that one of its employees' accounts had been compromised this way, revealing more user email addresses stored there in a document. But Dropbox failed to offer any hint at the scale of the breach—either last week or in 2012—and it's now clear the data exposure is far larger than its careful public statements let on. Dropbox has taken some heat in the press for that.

Dropbox says that it hasn't seen evidence of intrusion on the compromised accounts – and of course it did the massive password reset. The company has been encouraging users to enable two-factor authentication (which it also did in 2012) and is suggesting that users change their passwords on other sites if they ever reused a Dropbox password somewhere else. You can check if your data is included in the breach using the tool haveibeenpwned.

The good news is that the passwords in the data dump are hashed, and what was actually exposed is that scrambled data—the output from running passwords through a cryptographic algorithm. But some were protected using bcrypt, which is believed to be a more robust algorithm, while some used SHA-1, an older, weaker hashing function. That's the bad news.

Since Dropbox left affected users' passwords unchanged since 2012, that may have offered hackers in possession of the leak enough time to crack the cryptographic hashes and access not only their Dropbox accounts, but any other account where they reused that cracked password.

Dropbox, in the view of many, should have reset affected users' passwords a few years earlier.

E-mail: Phone: 703-359-0700
Digital Forensics/Information Security/Information Technology
http://www.senseient.com
http://twitter.com/sharonnelsonesq
http://www.linkedin.com/in/sharondnelson