Email and password data for more than 68 million Dropbox users is for sale in the darknet marketplace.
The data set, which is from a 2012 breach, includes users’ email addresses as well as obscured passwords. The nearly 5 gigabytes of data represents one of the larger user credential leaks in recent years. Its price is reportedly being set at two bitcoins, the equivalent of about $1,141 U.S. dollars, by a data trafficker on the darknet website TheRealDeal. There are no reports that the dataset has been successfully sold yet.
Dropbox quietly announced the 4-year-old breach last week when it sent out a note to affected users informing them that they would be proactively resetting their passwords. They informed users that their accounts were being reset because the company had been notified about a possible threat. But the full extent of the massive breach was reported by Motherboard and confirmed by an unnamed senior Dropbox employee several days later.
Dropbox was aware of a security breach in 2012 and told its customers, but says that the true scope and size of the hack was new information until last week. Patrick Heim, head of trust and security at Dropbox, said that the company felt it had taken sufficient preventative measures by proactively resetting passwords. Heim added that at this point, there is still no evidence that the users’ passwords have been successfully decoded and sold.
Hacked user credentials can be very valuable among data traders. Email and password data is typically bought and sold on the darknet, a tier of anonymous and largely untraceable Internet access that is often used for illegal activity such as drug or firearms trading. Large numbers of stolen user data can be integrated with software that automatically cycles though email/password combinations in order to hack into different websites. Given that many people reuse the same passwords on multiple websites, this can be a very effective method. Dropbox actually points to an employee’s reused password hacked from another website as the cause of the 2012 Dropbox breach.
But the stolen passwords from Dropbox were all either hashed or salted. Both are methods of obscuring passwords should they fall into hackers’ hands. Hashing converts passwords into a fixed number of random characters while salting adds a secret value to the end of each password. Hashing and salting can help to keep passwords safe in stolen databases, but the danger with hashing and salting is that both techniques can be eventually decrypted, especially for passwords obtained from several years ago. However, at this time there is still no confirmation that any of the passwords have been successfully decoded and sold. It’s one reason why the reported value of the data, at two bitcoins, is so low.
“The value in bitcoin is a really good indicator of how valuable the hack really was,” said Bryan Seely, a cybersecurity expert and hacker at MGT Capital Investments. “Given how low the price is, I’d say the situation probably isn’t too bad.” Hackers set a stolen medical database containing 34,000 patient records at a price of 20 bitcoins, or $13,173 U.S. dollars, this July.
Dropbox has several high profile clients that use Dropbox Business, a premium tier service that offers features like unlimited data storage and extra security. It’s used by companies like Hyatt, Hewlett Packer and Spotify. Dropbox Business was not launched until after the 2012 breach, so these clients are unlikely to have stolen data.
The hack points to the fragility of passwords as a security measure online. “Passwords are outdated, they’re annoying to users, they annoy IT teams, they’re hard to remember,” said Malcolm Harkins, the chief security and trust officer at a security company called Cylance. Harkins added that new security measures such as multi-faceted authentication are far stronger methods. At Dropbox, which offers two-step verification login for users, rate of enrollment for the extra verification measure has increased nearly tenfold since news of the hack.
Tyler Cohen Wood, cybersecurity adviser at Inspired eLearning, agrees, adding that users should take a degree of personal responsibility for their user data. “If you haven’t changed your passwords since 2012, you might want to rethink your own personal password policy and change them more frequently,” he said.
Despite this, he added, companies have a duty to fully disclose breaches. “It is always best to report potential compromises of accounts and passwords to users right away so that they can take action immediately,” he added.
Special to The Washington Post · Karen Turner