What the Dropbox Hack Can Teach You About the State of Web Security
In the past week, Dropbox had been making headlines over a hack which saw the email addresses and passwords of 68 million Dropbox accounts compromised. For any Dropbox user this is of course a point of concern, particularly if you store anything in Dropbox, be it personal or for work.
Your photos, documents, data etc could be accessed without your knowledge using your email address and password lost in that particular hack. The good news is there hasn’t been any reports of anything malicious coming out of the Dropbox hack, so far. However, that doesn’t mean that there is nothing to worry about.
About the Dropbox hack
First of all, let’s get this out of the way: the Dropbox hack didn’t just happen last week. More than 68 million email addresses and passwords are stolen in the hack, yes, but the hack itself happened 4 years ago, back in 2012.
Rather than imagine a Hollywood hacker scene (many of which got hacking terribly wrong), the hack came to be due to human error.
Hackers had used usernames and passwords from another data breach to sign-in to Dropbox accounts. One of these accounts belonged to a Dropbox employee, who had used the same password for both the breached site and for their Dropbox account.
Coincidentally, the same employee had a folder full of documents containing the email addresses of 68,680,741 Dropbox accounts as well as hashed passwords. Game, set and match.
1. Dropbox wasn’t alone; LinkedIn was similarly hacked
Back in May 2016, LinkedIn announced something similar to last week’s Dropbox hack. They implored LinkedIn users to change their passwords "as a matter of best practice" after becoming aware of the theft of a set of emails and passwords that had occurred – you guessed it – in 2012.
If you clicked that link in the previous paragraph, you’ll find no mention of how big a data loss this was even though the sense of urgency is apparent with the frequent updates to that particular page.
What happened was that more than 117 million LinkedIn accounts were affected, though it’s possible that the actual number could be as high as 167 million.
2. Why are the hacked passwords resurfacing now?
The data sets for both Dropbox and LinkedIn are reportedly being traded in the dark web now (or they were, leading up to a week ago).
LinkedIn’s set was initially on sale for $2,200 while Dropbox’s is going for a little over $1,200 – both The value of these data sets diminish the longer they are out there, as once the bulk of the users have changed the passwords, the data sets are of little to no value.
But why now? Four years after the hack? The closest I got to an answer comes from Troy Hunt (he gets mentioned quite a bit in this post, and pretty much everywhere else) who writes a lot about cybersecurity. I’ll just quote what he has to say:
Inevitably there’s a catalyst, but it could be many different things; the attacker finally deciding to monetise it, they themselves being targeted and losing the data or ultimately trading it for something else of value.
3. Hacks and data dumps happen more often than everyone cares to admit
While reading about this Dropbox hack, I came across this database directory, Vigilante.pw a site which features information of data breaches. At the point of this writing, the full database contains information of 1470 breaches amounting to over 2 billion compromised accounts.
The largest of the lot is the Myspace hack in 2013. That hack affected more than 350 million accounts.
In the same directory, Dropbox’s 68 million entries is the ninth largest in the history of known data dumps, so far; LinkedIn’s the fifth largest although if the number was corrected to 167 million instead, that would make it the second largest data dump in the directory.
(Note that the dates of the data dumps for Dropbox and LinkedIn are listed as 2012, instead of 2016.)
It’s however worth nothing that the infamous Ashley Madison hack as well as the game-changing RockYou hack was not included in the directory. So what’s really happening out there is bigger than what you see on the site.
haveibeenpwned.com is also another source you can used to look at the severity of hacks and data dumps that are plaguing online services and tools.
The site is run by Troy Hunt, a security expert who writes regularly about data breaches and security issues including about this recent Dropbox hack. Note: the site also comes with a free notification tool that will alert you if any of your emails have been compromised.
You will be able to find a list of pawned sites, the data of which has been consolidated to the site. Here is its list of the top 10 breaches (just look at all those numbers). Find the full list here.
Still with me? It gets much worse.
4. With every data breach, hackers get better at cracking passwords
This post on Ars Technica by Jeremi Gosney, a professional password cracker is worth a read. The short of it is that the more data breaches occur, the easier it gets for hackers to crack future passwords.
The RockYou hack happened back in 2009: 32 million passwords in plaintext were leaked and password crackers got an inside look into how users create and use passwords.
That was the hack that showed proof of how little thought we give to selecting our passwords e.g. 123456, iloveyou, Password. But more importantly:
The RockYou breach revolutionized password cracking.
Getting 32 million unhashed, unsalted, unprotected passwords upped the game for professional password crackers because although they weren’t the ones that carried out the data breach, they are now more prepared than ever to crack password hashes once a data dump occurs. The passwords obtained from the RockYou hack updated their dictionary attack list with actual passwords people use in real life, contributing to significant, faster and more effective cracking.
Subsequent data breaches would come: Gawker, eHarmony, Stratfor, Zappos, Evernote, LivingSocial – and with some hardware upgrade, it was possible for the author (after teaming up with a few industry-relevant teams) to crack up to 173.7 million LinkedIn passwords in a mere 6 days (that’s 98% of the full data set). So much for security, huh?
5. Hashing passwords – do they help?
There is a tendency for a site that has experienced a data breach to bring up the words hashed passwords, salted passwords, hash algorithms and other similar terms, as if to tell you that your passwords are encrypted, and ergo your account is safe (phew). Well…
If you want to understand what hashing and salting is, how they work and how they get cracked, this is a fine article to read up.
At the risk of simplifying the concepts, here goes:
- Hash algorithms changes a password to protect it. An algorithm obscures the password so that it is not easily recognizable by a third party. However hashes can be cracked with dictionary attacks (which is where point 6 comes in) and brute force attacks.
- Salting adds a random string to a password before it is hashed. This way, even if the same password is hashed twice, the outcome will be different due to the salt.
Coming back to the Dropbox hack, half of the passwords are under the SHA-1 hash (salts not included, which makes them impossible to crack) while the other half are under the bcrypt hash.
This mix indicates a transition from SHA-1 to bcrypt, which was a move ahead of its time, as SHA1 is in the midst of being phased out by 2017, to be replaced by SHA2 or SHA3.
That said, it is important to understand that "hashing is an insurance policy" that merely slows down hackers and crackers. Even if these added protection makes passwords "hard to decode", it doesn’t mean they are impossible to crack.
At best, the hashing and salting just buy users time, enough to change their passwords to prevent a takeover of their account.
6. The aftermath of hacks (data breaches)
(1) Hacks could be relatively benign like the Dropbox hack, or have devastating outcomes like the Ashley Madison data breach.
In the latter, 25GB of data including actual home addresses, credit card transactions, and search history of their users were leaked. Due to the nature of the website, there were many instances of public shaming, blackmail, extortion, divorces and even suicides.
The hack also exposed the creation of fake accounts and the use of chatbots to lure paying customers to sign up for an account.
(2) Hacks also show our indifference in selecting passwords – that is until a breach has occurred.
We have established this when discussing the RockYou breach in #4. If you have a lot of important data floating around on the Web, it’s a good idea to use a password management app. And enable two-step authentication. And never reuse passwords that have been in a data breach. And make sure other people you work with adopt the same safety measures.
If you want to take it a step further, sign up for a notification tool that alerts you when your email is involved in a data breach.
(3) Hacks show a site’s indifference to protecting user passwords and data.
In the case of Dropbox vs LinkedIn, you can see that Dropbox took better, more calculated measures to minimize damage from a data breach like this.
Dropbox used better hashing and salting methods, sent emails to users prompting them to change their passwords as soon as possible, offer two-factor authentication and Universal 2nd Factor (U2F) which utilizes a security key, and made staff policy changes (Dropbox employees now use 1Password to manage their passwords, corporate account passwords can no longer be reused, and all internal systems are on 2FA).
For a breakdown of what LinkedIn did, this article is perhaps a more thorough and suitable read.
To be frank, learning about all this just from studying the Dropbox hack has been an eye-opening and terrifying experience. We, the general population, sorely underestimate the need for unique and strong passwords even after being told multiple times to never share or repeat passwords, or use dictionary words in them.
If your data was affected by the Dropbox hack, do take the necessary precautions to secure your personal information. Put some effort into your passwords or get a password manager. Oh, and tape over your laptop camera or webcam when it’s not in use. You can never be too careful.
(Cover photo via GigaOm)