Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hackers Stole Account Details for Over 60 Million Dropbox Users

Posted by msmash on from the security-blues dept.

The Dropbox hack is more severe than we expected. Motherboard has the details: Hackers have stolen over 60 million account details for online cloud storage platform Dropbox. Although the accounts were stolen during a previously disclosed breach, and Dropbox says it has already forced password resets, it was not known how many users had been affected, and only now is the true extent of the hack coming to light. Motherboard obtained a selection of files containing email addresses and hashed passwords for the Dropbox users through sources in the database trading community. In all, the four files total in at around 5GB, and contain details on 68,680,741 accounts. The data is legitimate, according to a senior Dropbox employee. Security expert Troy Hunt has corroborated on Motherboard's claims, and has updated Have I Been Pwned website where you can go and see if you're among one of the victims.

66 comments

  1. Account passwords for cloud services = dumb idea. by Anonymous Coward · · Score: 0

    Government usually has access. Employees definitely have access.

    Just let anyone download anything, but instruct your users to use strong encryption.

  2. Matter of Time by Anonymous Coward · · Score: 1

    Was just a matter of time. It's why I was adamantly opposed to anyone putting this on a business workstation. Dropbox was never HIPAA compliant.

    1. Re:Matter of Time by Adriax · · Score: 1

      I got a telemarketer calling me and a dozen other people at my work trying to convince us to purchase what he called a dropbox integrator for citrix.
      Then half an hour later I saw this story. I just wish I had seen this first so instead of politely telling him to go away I could have just laughed until he hung up.

      --
      I don't suffer from insanity, I enjoy every minute of it!
  3. One must wonder... by npslider · · Score: 1

    Is there anyone who uses the Internet that has NOT been affected by a malicious hack?

    Let's just make everything easy and all use the password 12345.

    That's the smartest password I've ever heard of in my life! That's the kinda thing a genius would do ... I've got the same combination on my luggage!

    1. Re:One must wonder... by Anonymous Coward · · Score: 0

      Why limit it to people who use the internet? Last time I was effected by a malicious hack was when a store had their database broken in to. I'd never used their website, only ever shopping in store.

    2. Re:One must wonder... by Anonymous Coward · · Score: 0

      or Lastpass which can automate changing all your passwords at a user-defined interval

    3. Re:One must wonder... by Anonymous Coward · · Score: 0

      Is there anyone who uses the Internet that has NOT been affected by a malicious hack?

      Yes. Slashdot is perfectly safe and secure. You will never get hacked here.

    4. Re:One must wonder... by Obfuscant · · Score: 1

      ... I've got the same combination on my luggage!

      I don't bother with locks on my luggage anymore. TSA just cuts them off -- even the "TSA approved" locks they have a key for -- as would anyone who wants to break in.

    5. Re:One must wonder... by jader3rd · · Score: 1

      I actually have yet to see a report on a hack for any websites that I use.

    6. Re:One must wonder... by bigfinger76 · · Score: 2

      LastPass, too, was the victim of a 'malicious hack':
      LastPass breach, 2015

    7. Re:One must wonder... by Anonymous Coward · · Score: 0

      I don't bother with locks on my luggage anymore. TSA just cuts them off -- even the "TSA approved" locks they have a key for -- as would anyone who wants to break in.

      That's why I bought a bag that has a built-in TSA combo lock. Which they often forget to close. And, for some reason, the combination seems to default to its secret value when they unlock it, which they often leave set - both leaving the bag unlocked, and disclosing the combination.

    8. Re:One must wonder... by dbIII · · Score: 1

      Is there anyone who uses the Internet that has NOT been affected by a malicious hack?

      Plenty, unless you count failed attacks that are the persistent background noise of the net.
      Dropbox however have been exceptionally, indeed hilariously incompetent with security at times - which makes them "special".
      For some time people were treating it as a high speed bittorrent replacement - if you knew the hash and filename of somebody else's file you could get it from dropbox. So you could go to the pirate bay, find the latest movie rip, add the details to Dropbox and it was yours with the next sync.
      More seriously there were incidents like the one where you could get access to somebody else's account with their username without knowing the password - that was only for about a day but still - WTF?
      There's a long list of other stuff such as the GUI telling you it had stopped sharing to others but the syncing still happening. It started off as a hack and growth was seen as far more important than even the basics of web/net security.

  4. Only apps can app apps! by Anonymous Coward · · Score: 0

    Appbox should have known better, because only LUDDITE software uses LUDDITE passwords. Modern app appers app apps using other apps, NOT LUDDITE passwords!

    Apps!

    1. Re:Only apps can app apps! by Anonymous Coward · · Score: 1

      But..but..is a password app luddite or not?!!?

      Mind blown.

  5. Re:Account passwords for cloud services = dumb ide by Anonymous Coward · · Score: 0

    Government usually has access. Employees definitely have access.

    Just let anyone download anything, but instruct your users to use strong encryption.

    Yes, because any security measure that doesn't (fictionally) eliminate risk entirely is better of just not existing at all. Sure.

    Or, how about you don't rely on a single layer of security, and don't use simple passwords that would be cracked in minutes with dictionary or hybrid attacks, and make sure you don't reuse passwords for different sites, etc...

  6. I'm curious by Anonymous Coward · · Score: 1

    What about those accounts that used Google to log into dropbox? I've seen an increase in that lately, sites using services like Google or Facebook to log in users.

    1. Re: I'm curious by Anonymous Coward · · Score: 0

      "Lately"

      Have you been under a rock? Not new stuff.

  7. Just for the record... by ravrazor · · Score: 5, Informative

    Just FYI, although slashdot postings have never been extremely literate: Nobody corroborates ON something, you just corroborate something, i.e. I corroborated the claims about Dropbox. At least someone may have learned something on slashdot today.

    1. Re:Just for the record... by b0bby · · Score: 2

      And if we're going to go there: you can't be "among one of the victims", you' could be either among the victims or one of the victims.

    2. Re:Just for the record... by tendrousbeastie · · Score: 1

      It's also missing an article 'the' or a possessive 's' from the sentence snippet "and has updated Have I Been Pwned website"

    3. Re:Just for the record... by jimbolauski · · Score: 1

      Not true, someone could corroborate the story ON the toilet.

      --
      Knowledge = Power
      P= W/t
      t=Money
      Money = Work/Knowledge so the less you know the more you make
    4. Re:Just for the record... by NotAPK · · Score: 1

      Possible misuse of "collaborate"? We certainly "collaborate on" projects.

    5. Re:Just for the record... by Carewolf · · Score: 1

      And if we're going to go there: you can't be "among one of the victims", you' could be either among the victims or one of the victims.

      Well, one of the victims could be spread out over a large area, and could be among it.

    6. Re:Just for the record... by Anonymous Coward · · Score: 0

      And if we're going to go there: you can't be "among one of the victims", you' could be either among the victims or one of the victims.

      What if it's an account shared by a group?

    7. Re:Just for the record... by johncandale · · Score: 1

      that is a style thing not a grammar rule. Pendactics are always the slowest in the class tbh.

  8. Is this website legit? by __aaclcg7560 · · Score: 3, Interesting

    I played around with the https://haveibeenpwned.com/ website, confirming that very old email addresses were compromised in the last few years. But how legit is this website?

    1. Re:Is this website legit? by Richard_at_work · · Score: 5, Informative

      Extremely legit, Troy Hunt goes to great lengths to ethically report breaches, hiding "sensitive" results (so you cant search someones email to see if they were an Maddison Ashley account holder, for example) as well as verifying a dataset is authentic (there are fake ones going around).

      You should sign up to that site immediately, if you havent already. You get email notifications if a new breach includes your email address, which is worth it alone.

    2. Re:Is this website legit? by Richard_at_work · · Score: 1

      Urgh, thats Ashley Madison, the dating site for people wanting to have affairs...

    3. Re:Is this website legit? by Anonymous Coward · · Score: 0

      Which of course gives him your email address.

    4. Re:Is this website legit? by Anonymous Coward · · Score: 0

      To be fair he already has it, or will have it in the future.

    5. Re:Is this website legit? by phishybongwaters · · Score: 1

      they listed my account as pwned in the myspace hack. I've never been to myspace let alone registered an account. In fact I'd go so far as to say the hack predates the email they say was compromised.

    6. Re:Is this website legit? by Anonymous Coward · · Score: 0

      But by searching for it it tells him that it's a legit email address that is actively being used. This tells him it's a good target for other malicious activity and spam. It's the same reason you never click unsubscribe links.

    7. Re:Is this website legit? by Anonymous Coward · · Score: 0

      Interestingly I checked an email address I no longer use and see it was part of the Myspace compromise. I've never had a Myspace account in my life.

    8. Re:Is this website legit? by cdrudge · · Score: 3, Informative

      Is it possible that your email account was previously used by someone else, or that someone else signed up under your account?

      Also not all the data necessarily pertains to log in account data. Perhaps your email address was a backup contact address, a friend's contact, referral, etc. There's lots of ways some basic information about you could be "compromised" with an data breach even if you never had an actual account.

    9. Re:Is this website legit? by Anonymous Coward · · Score: 0

      I have a couple of domain names and always use separate email addresses for each thing I sign up for (helps keep track of who's leaking/sharing info and blocking crap), I wish there was an easy way to check haveibeenpwned without having to enter every bloody address I've used!

    10. Re:Is this website legit? by Anonymous Coward · · Score: 0

      DOH !
        Nevermind.. I just saw the DomainSearch option.. the one in big letters at the very top of the page.
        I need more coffee!

    11. Re:Is this website legit? by war4peace · · Score: 1

      Same here, my e-mail address is showing as "pwned" for Gamigo, a German online publisher which I never heard of.

      --
      ...gis sdrawkcab (usually not responding to ACs; don't bother posting as AC)
    12. Re:Is this website legit? by Anonymous Coward · · Score: 0

      They might be legit, but they use StartCom for certs

      https://www.techdirt.com/artic...
      https://bugzilla.mozilla.org/s...

      https://en.wikipedia.org/wiki/...
      https://groups.google.com/foru...

    13. Re:Is this website legit? by Anonymous Coward · · Score: 0

      Could be a site that allows registration silently (no confirmation email, not even a 'You have successfully registered' email), though that doesn't seem likely. I don't know the details of the Myspace hack; is it possible the data was sold, and whoever sold it padded it out with emails collected from other places?

    14. Re:Is this website legit? by war4peace · · Score: 1

      Most likely, yeah.

      --
      ...gis sdrawkcab (usually not responding to ACs; don't bother posting as AC)
  9. database trading community? by BringsApples · · Score: 1

    Motherboard obtained a selection of files containing email addresses and hashed passwords for the Dropbox users through sources in the database trading community.

    What the hell is the database trading community?

    --
    Politics; n. : A religion whereby man is god.
    1. Re:database trading community? by Anonymous Coward · · Score: 0

      Underground forums and etc that trade in stolen db dumps.

      Or should I say Shadow communities that facilitate the monetized trading of pilfered cyber identity passports.

    2. Re:database trading community? by Anonymous Coward · · Score: 0

      plus they have the best parties.

    3. Re:database trading community? by Anonymous Coward · · Score: 0

      Evil-doer orgies.

  10. rofl by Anonymous Coward · · Score: 0

    i've been pwnd. well, that's it for me about dropbox lol...

  11. Re:Account passwords for cloud services = dumb ide by clong83 · · Score: 1

    ^^^^

    All of this, mod it up. I have Dropbox and just changed my password anyways, even though they say I wasn't part of the hack. It's a good thing to do every year or so anyhow, because not all hacks get noticed and reported.

  12. Grain of salt by phishybongwaters · · Score: 1

    Just for giggles I went there and put in my throw away email that I use to register to crap. apparently I was "pwned" in the myspace hack. Funny thing is I've never had a myspace account. Ever. i'm not calling bullshit, but when the site tells me I'm owned and asks for a donation, I'm going to question it. But I know 100% I have never registered a myspace account.

    1. Re:Grain of salt by Anonymous Coward · · Score: 1

      Same for me. I've never had a myspace account, but the junk email I checked was part of that compromise. Could be other spammers registering accounts with my email though, as I've seen that happen no less than 5 times with my email address being used to create junk Facebook accounts. They are never fully activated because they can't get the verification email, but it still creates a partial account which generates junk activity emails, which is very annoying. Part of the reason I am changing to a new email address that is hard to guess.

    2. Re:Grain of salt by Striek · · Score: 1

      He doesn't actually ask for donations. He provides a way to donate because people have repeatedly expressed strong desires to donate to the project for the service they receive. He doesn't mince words on the time investment required, though.

      Why donate?
      Ok, so donations. Many people love this service and to my surprise, many have actually asked to donate. In all good conscience, I can't on the one hand write about how awesome and cost effective Azure is then on the other hand ask for donations to fund it. It's cheap — I've got it covered.

      Let me instead talk about the sacrifices required to make a service like this work. It can be enormously time consuming and that's the real cost here. Plus there are a few services I pay for out of my own pocket to make the magic happen. If you want to kick in to help me cover those costs, that would be awesome. And no problem if you don't want to either; just share the love and help others make use of the service.

      --
      "Government is like fire; a handy servant, but a dangerous master." -- George Washington
    3. Re:Grain of salt by jittles · · Score: 2

      Just for giggles I went there and put in my throw away email that I use to register to crap. apparently I was "pwned" in the myspace hack. Funny thing is I've never had a myspace account. Ever. i'm not calling bullshit, but when the site tells me I'm owned and asks for a donation, I'm going to question it. But I know 100% I have never registered a myspace account.

      And you're sure that you've been the only person to own that email address? My throw away email address got leaked in a hack and someone used it to sign up for an instagram account without my knowledge or consent. I get emails from Instagram all the time saying that there is suspicious activity associated with the account i never created. So one day I went to instagram and did the password recovery on that throw away account and, sure enough, they let someone create and use an account without me ever authenticating the email address.

    4. Re:Grain of salt by Anonymous Coward · · Score: 0

      I'm glad I saw this. I also gave it a try, just out of interest and was surprised to find I have a compromised account with Adobe of all people. Apart from Flash, I don't have any Adobe products and I know I've never given Adobe my email address or registered with them for anything. Nor have I had any emails from them.

    5. Re:Grain of salt by Anonymous Coward · · Score: 0

      these young kids... Email has been around a lot longer than you have. Someone else very well could have had that same email address and gave it up before you got it. If you want a unique email address, get your own domain name, don't use gmail, hotmail, yahoo, etc

      I can tell you, working IT in a corporate environment, we have had several people over the years that have ended up with the same email address as a previous employee.

      Example: Rob Smith worked here in 1994 (yes we had email back then kiddo) and then he quit, email was forwarded for a period of time, then all trace of him was removed from the system. In 1997 we hired Ron Smith, he got assigned Rob's old email address (first initial, last name format).

      That's how it happens and that's probably how it happened for you.

    6. Re:Grain of salt by Bob+the+Super+Hamste · · Score: 1

      I just put in the bogus e-mail I have always used bob@bob.com and that appears to have been breached 48 times and also has 48 pastes.

      --
      Time to offend someone
    7. Re:Grain of salt by Anonymous Coward · · Score: 0

      At some point Snapchat must have allowed sign-ups without verifying email addresses either. For the sake of about 5 minutes worth of curiosity I recently installed it. Went to sign up, my email address (not my throwaway) was already registered. Initially thinking I must have done it previously and then forgot about it, I reset the password ... Nope, someone else's Snapchat account!

    8. Re:Grain of salt by david_thornley · · Score: 1

      I have my own domain which I use for email. One very unpleasant week a spammer decided to use my domain name to allegedly send email from, using a very large numbers of fictitious accounts in that domain. I was hit with something on the order of four thousand backscatter spam messages in one day. If you have a first name that's not too rare in the US, there has been at least one email sent with your name @ my email domain.

      --
      "When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
  13. Re:Account passwords for cloud services = dumb ide by jellomizer · · Score: 1

    Old XKCD
    For some reason we haven't found a way to transfer files well yet.
    Or we have, but most people just don't want to use it.

    --
    If something is so important that you feel the need to post it on the internet... It probably isn't that important.
  14. This is why I don't trust cloud storage. by Larsen+E+Whipsnade · · Score: 1

    I suppose I could encrypt and upload, but that feels like too much hassle to me. Got my encrypted external drives to plug into the USB. Am I missing something?

    1. Re:This is why I don't trust cloud storage. by Anonymous Coward · · Score: 0

      If all you want is somewhere to dump stuff, then no, you're not.

      But if you want automatic syncing between a bunch of machines running different operating systems, Dropbox is pretty much it.

  15. My money is on Condoleeza by Anonymous Coward · · Score: 0

    This is what happens when you put Condoleeza Rice on your BOD.

  16. cloud services: dumb idea by fyngyrz · · Score: 1

    How about: live by the cloud, die by the cloud. Or, trust someone else with your data, and just consider it pre-shared.

    --
    I've fallen off your lawn, and I can't get up.
    1. Re:cloud services: dumb idea by clong83 · · Score: 1

      Sure, I'd agree with that.

      I mostly use Dropbox as an extra external backup, which is conveniently also easy to share with others without having to host anything myself. Certainly not as mission critical primary storage, or for sensitive documents. Mine is mostly full of family pictures and videos that we all share with each other. Nothing business related, and nothing that would be potentially compromising if it were to be lost and/or stolen.

      Whatever your usage, and however trivial the website is, you cannot go wrong with strong passwords, rotated occasionally, and non-repeated across various sites.

  17. https://haveibeenpwned.com/ by Anonymous Coward · · Score: 0

    Eeww, I'm not going to trust a website using StartCom for their certs

  18. Re: Account passwords for cloud services = dumb id by Anonymous Coward · · Score: 0

    If I want you to have a file, I will make sure you get it. Probably not via Dropbox, however. Not unless I want multiple people to have it.

  19. Re:Account passwords for cloud services = dumb ide by Anonymous Coward · · Score: 0

    Yes, because any security measure that doesn't (fictionally) eliminate risk entirely is better of just not existing at all. Sure.

    From a social engineering standpoint, that may actually be true. If people see there are provided access control mechanisms, many (most?) will assume it is good enough and look no further to secure their data.

    For a physical parallel - ask yourself how many people would still buy a padlock for a storage locker that already has a lock on it?

  20. Oh no, I've been pwned! by swell · · Score: 1

    Those dasterdly demons. According to 'Have I Been Pwned', I've been pwned on three sites that I've never visited. Surely that requires some very sophisticated hacking. I was offered more detailed information in return for a donation/subscription.

    --
    ...omphaloskepsis often...
  21. All Thanks To Gay Lovers Timmy C. and Jony Ive by Anonymous Coward · · Score: 0

    My mid-2009 MBP with a Drop Box has been retired to my other Domicile, not Office, and completely different network.

    I only used the Drop Box for a week at a NASA "shin dig" in Virginia 2014 and again and less than a week in 2015.

    I did not trust Drop Box in the beginning and now I am rewarded with the truth and I am safe.

    Ha ha