• Quick note - the problem with Youtube videos not embedding on the forum appears to have been fixed, thanks to ZiprHead. If you do still see problems let me know.

Dropbox major breach: change your password asap

Dessi

Species Traitor
D
Joined
Jul 6, 2011
Messages
3,615
Location
Omaha, NE
The Dropbox Hack is Real:
Earlier today, Motherboard reported on what had been rumoured for some time, namely that Dropbox had been hacked. Not just a little bit hacked and not in that "someone has cobbled together a list of credentials that work on Dropbox" hacked either, but proper hacked to the tune of 68 million records.
Click to expand...

Here is what you need to do:

1) Use Have I Been Pwnded (HBID) to determine if your account has been compromised. I highly recommend using their Notify Me service to receive emails if an account you use is breached.

2) Change your Dropbox password.

3) Use a service such as 1Password and LastPass to create strong, unique passwords on every site. You never want to reuse the same password on different sites, as a breach on one site could expose your account on others.

4) Enable 2-factor authentication for your highly sensitive accounts, such as the account you use on Google, LastPass, Paypal, eBay, and other sites. In the event of a breach, 2FA can defeat an attacker and prevent them from accessing your account.

5) Use anti-theft software, such Prey, to track down a stolen laptop or smartphone.
 
Last edited:
Considering how many DB phishing e's come into my work addy every day I'm not surprised - somebody got in there.
 
To be honest, if they want to mess about or steal my KSP ship designs, they're welcome.

There's nothing important in my dropbox - does it expose the rest of my system to attacks or am I just going to lose some out of date KSP craft files?
 
3point14 said:
To be honest, if they want to mess about or steal my KSP ship designs, they're welcome.

There's nothing important in my dropbox - does it expose the rest of my system to attacks or am I just going to lose some out of date KSP craft files?
Click to expand...

Even if you don't care about your dropbox, the real danger is password reuse on accounts you might care about. The email/password combo you used to sign into dropbox is compromised, and that means any other accounts with the same combo are compromised as well. If you regularly use one password or email for your accounts, you should change all of them.
 
Senor_Pointy said:
Even if you don't care about your dropbox, the real danger is password reuse on accounts you might care about. The email/password combo you used to sign into dropbox is compromised, and that means any other accounts with the same combo are compromised as well. If you regularly use one password or email for your accounts, you should change all of them.
Click to expand...


Thank you :)
 
Even then. how long would it take for someone to actually crack bcrypted passwords?

Even salted SHA1 ones would take some time, I presume.
 
Tolls said:
Even then. how long would it take for someone to actually crack bcrypted passwords?

Even salted SHA1 ones would take some time, I presume.
Click to expand...

It all depends on the company that stores the passwords. If they do not use a one-way encryption with salt then it would be very easy to breach. Then if you do not use a good password then again a dictionary attack + try every 8 and less letter combination possible will break the majority of passwords. But first they would try the 100 most common passwords.

Thread about 100 common passwords I know what your password is and you are an idiot

Youtube about passwords




How not to store passwords
 
Last edited:
A dictionary attack doesn't work with salted stuff, though.
Well it does, but it becomes hugely slow as you have to try the attack on each password individually rather than en masse.

Unlike (for example) the Linked In hack a few years ago, where it turned out they only hashed the passwords (IIRC), Dropbox apparently at worst used SHA1 salted, but half (or thereabouts) had been updated to bcrypted ones.
 
Someone I know through a study group I belong to sent me a video via Dropbox a few months ago. He sent it unsolicited for me to show at a meeting and insisted I at least open it to ensure he "hadn't wasted his time." (He's a bit of a troll -- in real-life as well as on the Internet.) To download the video I discovered I had to join Dropbox.

About two weeks later I began receiving emails from Dropbox containing a file to be downloaded. I had no idea who the sender was and, worse, I got a Firefox warning that the email appeared to contain a phishing link. What really surprised me was, the Dropbox mail was coming to an email address other than the one to which the original Dropbox file had been sent. An email address different than the one I used when I joined Dropbox. I presumed Dropbox (or a Dropbox user) had hacked either my address book or the one of the person who sent me the video.

I removed the Dropbox program from my hard drive and have had no further problems. I was interested to read this thread however, because after my experience I had asked around if anyone knew if there were any issues with Dropbox -- I Googled it too -- and didn't get any information.
 
newyorkguy said:
Someone I know through a study group I belong to sent me a video via Dropbox a few months ago. He sent it unsolicited for me to show at a meeting and insisted I at least open it to ensure he "hadn't wasted his time." (He's a bit of a troll -- in real-life as well as on the Internet.) To download the video I discovered I had to join Dropbox.
Click to expand...


From memory, I don't think you do, I think they just hide the 'download this' link somewhere on the page and present the 'join dropbox' link as the big one in the middle.

Not certain about that though, I only use it for sharing virtual toy spaceships.
 
Tolls said:
A dictionary attack doesn't work with salted stuff, though.
Well it does, but it becomes hugely slow as you have to try the attack on each password individually rather than en masse.

Unlike (for example) the Linked In hack a few years ago, where it turned out they only hashed the passwords (IIRC), Dropbox apparently at worst used SHA1 salted, but half (or thereabouts) had been updated to bcrypted ones.
Click to expand...

Actually if a person uses one or two common words with predictable variations then it would only take a hacker a few seconds to find that password. If it fails there are plenty of other passwords to crack. Watch the YouTubes I linked above. They are more scary than a horror movie. At least that is fiction. This is horror in real life and impacts on you. After watching those videos I changed one of my passwords.

If the hacked site is an email system then a huge effort is worthwhile. Hack that and then go to every place that is worth getting into and tell them that the person has forgotten their password, please send it again, which many would. So finding one password would lead to the discovery of several others. That is why gmail is demanding you put in a code sent to you via SMS before you log in. A hacker is not likely to have your phone as well.
 
rjh01 said:
. A hacker is not likely to have your phone as well.
Click to expand...

A few years ago this probably would have been true- these days????

Half the people I know, Smsing their phone would just be the same as many use their phone to access the net anyway

And the number of people that don't even have a lock on their phone....
 
rjh01 said:
Actually if a person uses one or two common words with predictable variations then it would only take a hacker a few seconds to find that password. If it fails there are plenty of other passwords to crack. Watch the YouTubes I linked above. They are more scary than a horror movie. At least that is fiction. This is horror in real life and impacts on you. After watching those videos I changed one of my passwords.

If the hacked site is an email system then a huge effort is worthwhile. Hack that and then go to every place that is worth getting into and tell them that the person has forgotten their password, please send it again, which many would. So finding one password would lead to the discovery of several others. That is why gmail is demanding you put in a code sent to you via SMS before you log in. A hacker is not likely to have your phone as well.
Click to expand...

I've never had a site send me my password.. They always send a link, at which I can reset my password, followed up with an email that my password has been reset.

Doesn't sound like a useful ploy for most hackers.
 
Skeptical Greg said:
I've never had a site send me my password.. They always send a link, at which I can reset my password, followed up with an email that my password has been reset.

Doesn't sound like a useful ploy for most hackers.
Click to expand...

Yes they may send you a link via email which then enables you to reset your password. So if someone else gets access to send and receive your emails then they can get that link to reset passwords. And the hackers can then reset the password and gain access to sites like this forum.
 
As I said... I would get an email notifying me my password had been reset...

Knowing I hadn't done this, i would quickly reset my password...


Would it really be worthwhile for a hacker to do this over and over again? For how many thousands of Users?
 
If they changed the password on your primary email account, I think the mail client on your PC (or phone) would no longer receive emails. That would buy more time for them reset passwords on additional accounts.

It should be easy enough to automate the process, and I imagine that it would only take a few decent "hits" per 1000 users to make the process worthwhile. (By "hit" I mean something like resetting a user's login credentials for an e-commerce site or two.)

ETA: So I guess the moral of the story is, as someone said above, to use 2 factor authentication for primary email and other important accounts, especially any which allow you to spend money very easily (e.g. Amazon). And lock your phone.
 
Last edited:
Skeptical Greg said:
As I said... I would get an email notifying me my password had been reset...

Knowing I hadn't done this, i would quickly reset my password...


Would it really be worthwhile for a hacker to do this over and over again? For how many thousands of Users?
Click to expand...

You would not get that email if they had access to your emails... And even if you did have access it might be too late. If they took control using this method of your forum account they might decide to publish illegal links here.

The illegal links once clicked could give the spammer control over the computer or maybe install a keylogger. That is all that is required. And well worth it for the spammer.

Edit. You could not easily get control back as they may change the email address for the forum.
 
Last edited:
I asked the guys I work with (its lunchtime atm) who uses their phone to check emails- all 5 of us do
I am the only one with a password (4 digit pin no actually) on my phone
all of us have our emails open (without asking for a password) when our email apps start up

So I am the only one of 5 that if I lost my phone, would stand a (small) chance of not having their emails compromised

I checked and I can change my password on my email without having to know the old one- so having any of the other 4 phones, I could easily change their email passwords to a new one.
Using sms's as a second layer of defence wouldnt help as the sms would go to the phone I am using, so I would have that too


Same if the forum introduced an sms required to change password- I could go to the forum (like most I have it in my favs on the browser), change the password on the email(hence lockig out the true poster) change the password on the forum (via access to the email) and introducing sms verification would do nothing (as an sms would be sent to the very phone I am using!!!)

Interesting conundrum- at best it would provide a very small (tiny really) level of extra security, and with the number of people that regularly swap providers and often getting a new phone number, an sms could actually prove to be quite a turn off in user usefullness
Before the advent of smart phones- an sms would indeed been a useful security provision, these days- bah- its like providing an old skeleton lock on a brand new house- totally useless
 
You must log in or register to reply here.

Back
Top Bottom