Dropbox hack leads to dumping of 68m user passwords on the internet
Source: The Guardian
Popular cloud storage firm Dropbox has been hacked, with over 68m users email addresses and passwords dumped on to the internet.
The attack took place during 2012. At the time Dropbox reported a collection of users email addresses had been stolen. It did not report that passwords had been stolen as well.
The dump of passwords came to light when the database was picked up by security notification service Leakbase, which sent it to Motherboard.
Dropbox sent out notifications last week to all users who had not changed their passwords since 2012. The company had around 100m customers at the time, meaning the data dump represents over two-thirds of its user accounts. At the time Dropbox practiced good user data security practice, encrypting the passwords and appears to have been in the process of upgrading the encryption from the SHA1 standard to a more secure standard called bcrypt.
Read more: https://www.theguardian.com/technology/2016/aug/31/dropbox-hack-passwords-68m-data-breach?CMP=fb_us#link_time=1472649019
scscholar
(2,902 posts)They knew simple hashes were insecure, but still forced their users to use them. Now, the hash of my password is out in the wild. Someone is probably going to steal my money. Steal my money.
apnu
(8,722 posts)But, even today where IT departments yell about this daily, many people still recycle passwords.
I switched to unique passwords for everything and I keep an encrypted password file (USB stick, with portable KeePassX for several different OSs) on me at all times.
WhiteTara
(29,676 posts)BumRushDaShow
(127,301 posts)managed to get some new folks to join their board.
muriel_volestrangler
(101,152 posts)It just said something like "we notice you haven't changed your password since 2012". Since I haven't been logging on to it (I can't even remember why I signed up to it now - it could have been to access a load of family photos or something), I didn't pay any attention to it. Now, it seems what they knew was that people may be able to associate that password (whatever it was - I can't remember now) with that email address. So if I reused that password at any time I might be in danger.
Fuck, I hate online security. Every fucking thing asks for password, and you can't trust anyone to keep them safe. So no matter how trivial, you have to have separate ones, so you have to write them down.
reACTIONary
(5,749 posts)Pick a good, strong pass phrase and then add a few different characters to it at the front or the end for each site. For DU, you could add DU to the base. That makes the hash different for each site. It's easy to remember the pass phrase because you use it everywhere and it's easy to remember the salt since it's short and related to the site.
Codeine
(25,586 posts)A base nonsense word and number that I use everywhere, but each time with a small custom addition tailored to the site. Super easy to remember but never the same in any two places.
PersonNumber503602
(1,134 posts)I know the 'scheme' could be figured out if someone had access to several different passwords, but it would require some effort and some 'thinking' on their part. I figure if someone is capable and willing to expend that effort on me, then I probably have more problems than someone reading emails to my mom. Although I don't follow the scheme with sites that I consider to be 'unimportant' (messages boards and the like). I just have a selection of about ten passwords I usually use for those. Not sure if that works for or against me though, as I can see it going either way.
Egnever
(21,506 posts)And works well. All you have to do is remember one password. The rest you can make as mind bending as you like and last pass will even help you make really impossible to crack passwords. Your data is always encrypted on your end.
The free is good enough for most people but the premium features do bring some nice added functionality.