HomeLatest ThreadsGreatest ThreadsForums & GroupsMy SubscriptionsMy Posts
DU Home » Latest Threads » Forums & Groups » Main » Latest Breaking News (Forum) » Dropbox hack leads to dum...

Wed Aug 31, 2016, 02:15 PM

Dropbox hack leads to dumping of 68m user passwords on the internet

Source: The Guardian

Popular cloud storage firm Dropbox has been hacked, with over 68m usersí email addresses and passwords dumped on to the internet.

The attack took place during 2012. At the time Dropbox reported a collection of userís email addresses had been stolen. It did not report that passwords had been stolen as well.

The dump of passwords came to light when the database was picked up by security notification service Leakbase, which sent it to Motherboard.

Dropbox sent out notifications last week to all users who had not changed their passwords since 2012. The company had around 100m customers at the time, meaning the data dump represents over two-thirds of its user accounts. At the time Dropbox practiced good user data security practice, encrypting the passwords and appears to have been in the process of upgrading the encryption from the SHA1 standard to a more secure standard called bcrypt.

Read more: https://www.theguardian.com/technology/2016/aug/31/dropbox-hack-passwords-68m-data-breach?CMP=fb_us#link_time=1472649019

10 replies, 1959 views

Reply to this thread

Back to top Alert abuse

Always highlight: 10 newest replies | Replies posted after I mark a forum
Replies to this discussion thread
Arrow 10 replies Author Time Post
Reply Dropbox hack leads to dumping of 68m user passwords on the internet (Original post)
Miles Archer Aug 2016 OP
scscholar Aug 2016 #1
apnu Sep 2016 #9
WhiteTara Aug 2016 #2
BumRushDaShow Aug 2016 #3
muriel_volestrangler Aug 2016 #4
reACTIONary Aug 2016 #5
Codeine Aug 2016 #7
PersonNumber503602 Sep 2016 #10
Egnever Aug 2016 #6
uppityperson Sep 2016 #8

Response to Miles Archer (Original post)

Wed Aug 31, 2016, 02:30 PM

1. Why does no one at these corporations ever go to prison for this crime?

 

They knew simple hashes were insecure, but still forced their users to use them. Now, the hash of my password is out in the wild. Someone is probably going to steal my money. Steal my money.

Reply to this post

Back to top Alert abuse Link here Permalink


Response to scscholar (Reply #1)

Thu Sep 1, 2016, 12:40 PM

9. The problem is mitigated if the user doesn't recycle passwords.

But, even today where IT departments yell about this daily, many people still recycle passwords.

I switched to unique passwords for everything and I keep an encrypted password file (USB stick, with portable KeePassX for several different OSs) on me at all times.

Reply to this post

Back to top Alert abuse Link here Permalink


Response to Miles Archer (Original post)

Wed Aug 31, 2016, 02:33 PM

2. When did Kinda Sleazie take over DropBox?

Reply to this post

Back to top Alert abuse Link here Permalink


Response to WhiteTara (Reply #2)

Wed Aug 31, 2016, 02:42 PM

3. When Dewey, Cheatem, and Howe

managed to get some new folks to join their board.

Reply to this post

Back to top Alert abuse Link here Permalink


Response to Miles Archer (Original post)

Wed Aug 31, 2016, 02:45 PM

4. The fuckers! They sent out the email, but it didn't say they'd been hacked

It just said something like "we notice you haven't changed your password since 2012". Since I haven't been logging on to it (I can't even remember why I signed up to it now - it could have been to access a load of family photos or something), I didn't pay any attention to it. Now, it seems what they knew was that people may be able to associate that password (whatever it was - I can't remember now) with that email address. So if I reused that password at any time I might be in danger.

Fuck, I hate online security. Every fucking thing asks for password, and you can't trust anyone to keep them safe. So no matter how trivial, you have to have separate ones, so you have to write them down.

Reply to this post

Back to top Alert abuse Link here Permalink


Response to muriel_volestrangler (Reply #4)

Wed Aug 31, 2016, 10:33 PM

5. Use salt...

Pick a good, strong pass phrase and then add a few different characters to it at the front or the end for each site. For DU, you could add DU to the base. That makes the hash different for each site. It's easy to remember the pass phrase because you use it everywhere and it's easy to remember the salt since it's short and related to the site.

Reply to this post

Back to top Alert abuse Link here Permalink


Response to reACTIONary (Reply #5)

Wed Aug 31, 2016, 11:56 PM

7. This is what I do.

 

A base nonsense word and number that I use everywhere, but each time with a small custom addition tailored to the site. Super easy to remember but never the same in any two places.

Reply to this post

Back to top Alert abuse Link here Permalink


Response to Codeine (Reply #7)

Thu Sep 1, 2016, 01:54 PM

10. I do something similar too.

I know the 'scheme' could be figured out if someone had access to several different passwords, but it would require some effort and some 'thinking' on their part. I figure if someone is capable and willing to expend that effort on me, then I probably have more problems than someone reading emails to my mom. Although I don't follow the scheme with sites that I consider to be 'unimportant' (messages boards and the like). I just have a selection of about ten passwords I usually use for those. Not sure if that works for or against me though, as I can see it going either way.

Reply to this post

Back to top Alert abuse Link here Permalink


Response to muriel_volestrangler (Reply #4)

Wed Aug 31, 2016, 11:48 PM

6. This works

 

https://lastpass.com/

And works well. All you have to do is remember one password. The rest you can make as mind bending as you like and last pass will even help you make really impossible to crack passwords. Your data is always encrypted on your end.

The free is good enough for most people but the premium features do bring some nice added functionality.

Reply to this post

Back to top Alert abuse Link here Permalink


Response to muriel_volestrangler (Reply #4)

Thu Sep 1, 2016, 12:18 PM

8. That's the one I got too and went meh.

Reply to this post

Back to top Alert abuse Link here Permalink

Reply to this thread