University of Southern California

Dropbox Hack

Posted on by mbordas

Actions:
Do not reuse passwords across different sites and services; if you do, change them to passwords unique to each site and service.

What happened?
A hacker posted a plain-text file to Pastebin with a provocative headline claiming that Dropbox was hacked. This plain-text file contained approximately 400 email/password combinations that the hacker claimed to be Dropbox account credentials. The hacker further claimed that these credentials were a subset of the  7 million credentials accessed. The hacker promised to continue releasing the credentials until Bitcoins were donated to the “cause.” The news spread quickly on Twitter.

A Dropbox blog post stated that, “The usernames and passwords referenced in these articles were stolen from unrelated services, not Dropbox.” It is likely those accounts will be used to try to access other internet services. Dropbox represented that they monitor accounts and when suspicious logins are detected, they require a mandatory password reset.

What are the contributing factors/root cause?
Hackers are counting on users re-using passwords rather than remembering separate passwords for the many online services they take advantage of. The real problem appears to be the way popular services allow users to log in. Even though Dropbox’s own servers weren’t hacked, the service still allows third-party access. It is also possible for hackers to hack other sites and cross reference the login information with services like Dropbox since many people use the same logins for multiples services. Those third parties have become the target for hackers to obtain personal information. This, coupled with the fact that old passwords are easy to find on the web, makes this sort of situation likely to continue to happen.

What should be done to mitigate the risks?
Do not reuse passwords across web sites and services.
If possible, enable 2 step verification for your online accounts.
Periodically change your passwords.

For more information, see:
http://thenextweb.com/apps/2014/10/14/dropbox-passwords-leak-online-alleged-hack
http://techcrunch.com/2014/10/14/dropbox-pastebin
http://www.darkreading.com/attacks-breaches/dropbox-wordpress-used-as-cloud-cover-in-new-apt-attacks/d/d-id/1140098
http://www.businessinsider.com/dropbox-hacked-2014-10
http://www.theverge.com/2014/10/14/6976429/dropbox-says-it-wasnt-hacked-released-passwords-were-stolen-from

Comments are closed.