Dropbox employee’s password reuse led to theft of 60M+ user credentials

Dropbox disclosed earlier this week that a large chunk of its users’ credentials obtained in 2012 was floating around on the dark web. But that number may have been much higher than we originally thought.
Credentials for more than 60 million accounts were taken, as first reported by Motherboard and confirmed by TechCrunch sources. The revelation of a password breach at Dropbox is an evolution of the company’s stance on the 2012 incident — the company initially said that user emails were the only data stolen.
Here’s the exact phrasing from the 2012 blog post:
A stolen password was also used to access an employee Dropbox account containing a project document with user email addresses. We believe this improper access is what led to the spam. We’re sorry about this, and have put additional controls in place to help make sure it doesn’t happen again.
Dropbox disclosed in 2012 that an employee’s password was acquired and used

Original URL: http://feedproxy.google.com/~r/feedsapi/BwPx/~3/yRWXY9odVGk/

Original article

The Dropbox hack is real

Earlier today, Motherboard reported on what had been rumoured for some time, namely that Dropbox had been hacked. Not just a little bit hacked and not in that “someone has cobbled together a list of credentials that work on Dropbox” hacked either, but proper hacked to the tune of 68 million records.
Very shortly after, a supporter of Have I been pwned (HIBP) sent over the data which once unzipped, looked like this:

What we’ve got here is two files with email address and bcrypt hashes then another two with email addresses and SHA1 hashes. It’s a relatively even distribution of the two which appears to represent a transition from the weaker SHA variant to bcrypt’s adaptive workload approach at some point in time. Only half the accounts get the “good” algorithm but here’s the rub: the bcrypt accounts include the salt whilst the SHA1 accounts don’t. It’s just as well because

Original URL: http://feedproxy.google.com/~r/feedsapi/BwPx/~3/Lu_zV0TJISc/

Original article

Proudly powered by WordPress | Theme: Baskerville 2 by Anders Noren.

Up ↑

%d bloggers like this: