The Dropbox credentials in question come from a breach that took place in 2012.
What started out last week as a warning by Dropbox to its users that some login data may have been compromised has exploded into a massive data breach with an estimated 68 million Dropbox user credentials being exposed on the web, but industry insiders say the company has handled the problem quite well.
Most security professionals praised Dropbox for its reaction to the crisis saying the company reacted quickly and its security arrangements protected the most important customer data that had been stolen.
The Dropbox credentials in question come from a breach that took place in 2012 and were noticed online by the breach notification service Leakbase, which then informed Motherboard. Independent cybersecurity researcher Troy Hunt confirmed on his blog that the credentials are in fact those of Dropbox users by checking some of the data that was found for sale. Dropbox also confirmed the report.
“What we’ve got here is two files with email address and bcrypt hashes then another two with email addresses and SHA1 hashes. Only half the accounts get the “good” algorithm but here’s the rub: the bcrypt accounts include the salt whilst the SHA1 accounts don’t. It’s just as well because it would be a far more trivial exercise to crack the older algorithm but without the salts, it’s near impossible,” Hunt wrote.
Patrick Heim, head of trust and security at Dropbox, told SCMagazine.com in a written statement that the number of users affected is accurate, but there is no indication the exploited information has been used to access any Dropbox accounts.
“We can confirm that the scope of the password reset we completed last week did protect all impacted users. Even if these passwords are cracked, the password reset means they can’t be used to access Dropbox accounts,” Heim said.
Despite the scale of the breach, Hunt and others commended Dropbox on how it is handling the situation.
Hunt noted the excellent communication and the fact the passwords, at least, were decently protected, while another security exec called Dropbox’s action a model for the industry to follow.
“The Dropbox data hit the market recently with all signs pointing towards the credentials encryption remaining intact. It’s hard to argue that Dropbox managed this situation poorly when the credentials have been protected for four years, which could be indicative of certain cryptographic components remaining intact during the initial compromise,” Josh Feinblum, Rapid7’s VP of information security told SCMagazine.com in an email.
However, not everyone had a positive viewpoint. Chris Roberts Acalvio’s chief security architect, believes Dropbox should have taken stronger action earlier.
“It’s interesting that user accounts taken in an incident in 2012 are only now “coming to light”. That’s an awfully long time to wait before publicly stating that “we have an issue”. It’s frustrating that the organization potentially knew of the problem, but didn’t confirm it, as there was no credible evidence that the data was in the wild?” he told SCMagazine.com in an email.
Dropbox did state in 2012 that usernames and passwords had been stolen, but gave no details as to the potential scale of the problem. At that time the cloud storage company did recommend users change their passwords and implement two-factor authentication.
One of the major takeaways from this incidents, besides the importance of good password management, is the potential danger posed for companies whose employees use cloud-storage.
“Business leaders, especially those in IT risk management, must take this as another alarm bell worth hearing,” said Chris Ensey, COO of Dunbar Security Solutions, adding that the huge number of SaaS applications available merely increases the pathways in and out of a company that have to be secured.
Even though the important information were salted and hashed cybercriminals can still make use of the data that was posted in the clear, such as email addresses.
Matthew Gardiner, Mimecast’s cybersecurity strategist pointed out to SCMagazine.com in an email that these emails could be used down the road as part of a phishing scam. AdamLevin, chairman of IDT911 said email addresses and other, seemingly benign information can still be used against one of the Dropbox users.
“Email addresses are at the foundation of our digital identities, as they often contain significant names and/or numbers, such as your birthday, college, or work. All of this information becomes tiny breadcrumbs that hackers can use to guess passwords and answer security questions to access even more sensitive information,” Levin said.