Welcome to DU! The truly grassroots left-of-center political community where regular people, not algorithms, drive the discussions and set the standards. Join the community: Create a free account Support DU (and get rid of ads!): Become a Star Member All Forums Issue Forums Culture Forums Alliance Forums Region Forums Support Forums Help & Search

Miles Archer

(18,837 posts)
Wed Aug 31, 2016, 02:15 PM Aug 2016

Dropbox hack leads to dumping of 68m user passwords on the internet

Source: The Guardian

Popular cloud storage firm Dropbox has been hacked, with over 68m users’ email addresses and passwords dumped on to the internet.

The attack took place during 2012. At the time Dropbox reported a collection of user’s email addresses had been stolen. It did not report that passwords had been stolen as well.

The dump of passwords came to light when the database was picked up by security notification service Leakbase, which sent it to Motherboard.

Dropbox sent out notifications last week to all users who had not changed their passwords since 2012. The company had around 100m customers at the time, meaning the data dump represents over two-thirds of its user accounts. At the time Dropbox practiced good user data security practice, encrypting the passwords and appears to have been in the process of upgrading the encryption from the SHA1 standard to a more secure standard called bcrypt.

Read more: https://www.theguardian.com/technology/2016/aug/31/dropbox-hack-passwords-68m-data-breach?CMP=fb_us#link_time=1472649019

10 replies = new reply since forum marked as read
Highlight: NoneDon't highlight anything 5 newestHighlight 5 most recent replies
Dropbox hack leads to dumping of 68m user passwords on the internet (Original Post) Miles Archer Aug 2016 OP
Why does no one at these corporations ever go to prison for this crime? scscholar Aug 2016 #1
The problem is mitigated if the user doesn't recycle passwords. apnu Sep 2016 #9
When did Kinda Sleazie take over DropBox? WhiteTara Aug 2016 #2
When Dewey, Cheatem, and Howe BumRushDaShow Aug 2016 #3
The fuckers! They sent out the email, but it didn't say they'd been hacked muriel_volestrangler Aug 2016 #4
Use salt... reACTIONary Aug 2016 #5
This is what I do. Codeine Aug 2016 #7
I do something similar too. PersonNumber503602 Sep 2016 #10
This works Egnever Aug 2016 #6
That's the one I got too and went meh. uppityperson Sep 2016 #8
 

scscholar

(2,902 posts)
1. Why does no one at these corporations ever go to prison for this crime?
Wed Aug 31, 2016, 02:30 PM
Aug 2016

They knew simple hashes were insecure, but still forced their users to use them. Now, the hash of my password is out in the wild. Someone is probably going to steal my money. Steal my money.

apnu

(8,722 posts)
9. The problem is mitigated if the user doesn't recycle passwords.
Thu Sep 1, 2016, 12:40 PM
Sep 2016

But, even today where IT departments yell about this daily, many people still recycle passwords.

I switched to unique passwords for everything and I keep an encrypted password file (USB stick, with portable KeePassX for several different OSs) on me at all times.

muriel_volestrangler

(101,152 posts)
4. The fuckers! They sent out the email, but it didn't say they'd been hacked
Wed Aug 31, 2016, 02:45 PM
Aug 2016

It just said something like "we notice you haven't changed your password since 2012". Since I haven't been logging on to it (I can't even remember why I signed up to it now - it could have been to access a load of family photos or something), I didn't pay any attention to it. Now, it seems what they knew was that people may be able to associate that password (whatever it was - I can't remember now) with that email address. So if I reused that password at any time I might be in danger.

Fuck, I hate online security. Every fucking thing asks for password, and you can't trust anyone to keep them safe. So no matter how trivial, you have to have separate ones, so you have to write them down.

reACTIONary

(5,749 posts)
5. Use salt...
Wed Aug 31, 2016, 10:33 PM
Aug 2016

Pick a good, strong pass phrase and then add a few different characters to it at the front or the end for each site. For DU, you could add DU to the base. That makes the hash different for each site. It's easy to remember the pass phrase because you use it everywhere and it's easy to remember the salt since it's short and related to the site.

 

Codeine

(25,586 posts)
7. This is what I do.
Wed Aug 31, 2016, 11:56 PM
Aug 2016

A base nonsense word and number that I use everywhere, but each time with a small custom addition tailored to the site. Super easy to remember but never the same in any two places.

PersonNumber503602

(1,134 posts)
10. I do something similar too.
Thu Sep 1, 2016, 01:54 PM
Sep 2016

I know the 'scheme' could be figured out if someone had access to several different passwords, but it would require some effort and some 'thinking' on their part. I figure if someone is capable and willing to expend that effort on me, then I probably have more problems than someone reading emails to my mom. Although I don't follow the scheme with sites that I consider to be 'unimportant' (messages boards and the like). I just have a selection of about ten passwords I usually use for those. Not sure if that works for or against me though, as I can see it going either way.

 

Egnever

(21,506 posts)
6. This works
Wed Aug 31, 2016, 11:48 PM
Aug 2016
https://lastpass.com/

And works well. All you have to do is remember one password. The rest you can make as mind bending as you like and last pass will even help you make really impossible to crack passwords. Your data is always encrypted on your end.

The free is good enough for most people but the premium features do bring some nice added functionality.
Latest Discussions»Latest Breaking News»Dropbox hack leads to dum...