Hundreds of Dropbox passwords leak online in alleged hack (opens in new tab)

(thenextweb.com)

47 pointssnikch11y ago18 comments

18 comments

12 comments · 5 top-level

minimaxir11y ago· 4 in thread

Link to referenced Reddit thread w/ confirmations: http://www.reddit.com/r/sysadmin/comments/2j5xkw/has_dropbox...

Also of note is that Dropbox does not force complex passwords: http://i.imgur.com/v4h0g8D.png

Looks to me like a case of users using the same password for multiple services and one of those services (not likely dropbox) was storing passwords insecurely.

boyaka11y ago

Looks to me like a completely useless claim considering you give zero explanation for it.

1 more reply

dokument11y ago

Nor do they likely salt (I hope they at least hash) their passwords.

ketralnis11y ago

Since nobody has said it yet... don't salt or hash your passwords, and don't parrot the line "salt your hashes" because it's a massive oversimplification and the easy/naive way is wrong.

Hashes, cryptographic hashes included, are designed to be fast. Unfortunately, that means that they're also fast to brute force.

Use bcrypt[1] or a proper key derivation function[2] like PBKDF2[3]

[1] http://en.wikipedia.org/wiki/Bcrypt

[2] http://en.wikipedia.org/wiki/Key_derivation_function

[3] http://en.wikipedia.org/wiki/PBKDF2

glhaynes11y ago· 2 in thread

Attempted to change my password; tried using Safari's suggested random alphanumeric/hyphenated password; was rejected as invalid. :(

ninkendo11y ago

On my machine, Safari misinterpreted the password change form to be two "new password" fields, and didn't get that the first field was an "old password" field. So it auto-filled a new password for both fields, and it was rejected because the old password didn't match.

FYI, don't try and "fix" this by erasing the top password and filling your old one in... that will cause safari to forget that you're generating a new password, and it won't commit the new password to the keychain (and you're now locked out.)

Safari fares better on the password reset link though, which has two "new password" fields and that's it.

glhaynes11y ago

Perfect, thanks for being more observant than I was!

nevi-me11y ago· 1 in thread

I'm still suffering from spam from the last mail address leak, and now this? Time to respect my data and move it elsewhere

EDIT: Dropbox say the leak is from another service that has been compromised. Does anyone know of a service that's been popular enough to store ~7'000'000 user credentials without instead using OAuth? If there is, how did Dropbox not notice that, and how did we ad the Internet community not complain about this service sooner? I assume 7 million accounts aren't immaterial to Dropbox total users.

gdeglin11y ago

Could be another big service that didn't have any connection to Dropbox. People re-use passwords a lot.

LinkedIn leaked 6.5 Million hashed but not salted passwords back in 2012, for example.

kondro11y ago

Dropbox has responded to Ars Technia (not sure if elsewhere) http://arstechnica.com/security/2014/10/7-million-dropbox-us...

The update from Dropbox:

Dropbox has not been hacked. These usernames and passwords were unfortunately stolen from other services and used in attempts to log in to Dropbox accounts. We'd previously detected these attacks and the vast majority of the passwords posted have been expired for some time now. All other remaining passwords have been expired as well.

timrosenblatt11y ago

Just in case you aren't using one already: https://agilebits.com/onepassword

It's ridiculously easy and worthwhile.

j / k navigate · click thread line to collapse