
Dropbox.com hacked? - te_chris
http://pastebin.com/aRgTJzzg
======
bobbles
It appears there has been a response from Dropbox:

[http://www.techly.com.au/2014/10/14/dropbox-hacked-seven-
mil...](http://www.techly.com.au/2014/10/14/dropbox-hacked-seven-million-
leaked-accounts-passwords-go-online/)

"Dropbox has not been hacked. These usernames and passwords were unfortunately
stolen from other services and used in attempts to log in to Dropbox accounts.
We’d previously detected these attacks and the vast majority of the passwords
posted have been expired for some time now. All other remaining passwords have
been expired as well."

~~~
TTPrograms
Somebody should compare these against previous major breaches (Adobe etc.). If
there was a new one you would think that they would directly name the service.
Otherwise they might just be seeking attention / BTC by reposting a previous
breach.

~~~
luisrudge
easy: [https://haveibeenpwned.com/](https://haveibeenpwned.com/)

~~~
sillysaurus3
The website says my gmail address has been pwned:

"In September 2014, a large dump of nearly 5M usernames and passwords was
posted to a Russian Bitcoin forum. Whilst commonly reported as 5M "Gmail
passwords", the dump also contained 123k yandex.ru addresses. Whilst the
origin of the breach remains unclear, the breached credentials were confirmed
by multiple source as correct, albeit a number of years old.

Compromised data: Email addresses, Passwords"

Is there some way to figure out exactly which password was compromised?

~~~
techrat
[https://isleaked.com/en.php](https://isleaked.com/en.php)

Type in your email address, you'll get the first two letters of the known
password back. It should help to track down which service the password came
from.

When the 5 Mil Gmail leak first happened, it was found to be a collection of
gmail/pass combinations from other leaks and not a Gmail hack.

Known sources (and definitely not limited to these sites):

* Gawker (and related sites),

* Friendster,

* XTube,

* FileDropper,

* Daz3d/Bryce,

* eHarmony,

* Savage,

* Bioware,

* FreebieJeebies,

* PoliceAuctions,

* Bravenet,

* Filesavr.

If you recycled passwords, change them even if they're not in the email list.
Turn on two factor for Google Accounts.

~~~
username3
A friend's email was on isleaked, but said they never had a password with
those first two letters.

------
nostromo
I doubt dropbox was hacked. It also doesn't look like a dictionary attack.

It seems more likely that a third-party website wasn't storing passwords
correctly, was hacked, and this is the list of users that use a single
password for everything.

~~~
pain_perdu
If your theory is correct, would we not expect to see the account names be a
bit more random? That is to say, these are in alphabetical order and clearly
coming from a large list because the letters in each progressive account are
similar:

Bille97... Billel... Billen... Billet... Billew...

Isn't it unlikely that so many alphabetically-similar accounts from the third-
party site would use the same password for dropbox?

~~~
asdfaoeu
Using
[http://thepiratebay.se/torrent/7803135/1_million_email_list](http://thepiratebay.se/torrent/7803135/1_million_email_list)
to give the relative frequency of email addresses I'd estimate they have a
total of around 30k addresses

    
    
        -> % cat 1000000\ email\ list.txt | sed 's/, */\n/g' | grep "@"| sort | uniq | wc -l
        835694
        -> % cat 1000000\ email\ list.txt | sed 's/, */\n/g' | grep "@"| sort | uniq | grep -i "^b[e-i]" | wc -l
        11160
        irb(main):001:0> (835694.0 / 11160) * 400
        => 29953.189964157707

------
Chris911
Dropbox response:

"Dropbox has not been hacked. These usernames and passwords were unfortunately
stolen from other services and used in attempts to log in to Dropbox accounts.
We’d previously detected these attacks and the vast majority of the passwords
posted have been expired for some time now. All other remaining passwords have
been expired as well."

------
newscracker
I feel this has been done for the sole purpose of making some money from
gullible people (not that making money by finding security holes is bad in
itself, as long as it's also combined with some social responsibility).

Making unsubstantiated statements like "6,937,081 DROPBOX ACCOUNTS HACKED" and
requests like "MORE BITCOIN = MORE ACCOUNTS PUBLISHED ON PASTEBIN" makes this
whole thing seem like a scam.

~~~
ASneakyFox
No dishonor in scamming fellow criminals I guess.

------
sheetjs
More teasers:

[http://pastebin.com/1AZQ7McK](http://pastebin.com/1AZQ7McK)

[http://pastebin.com/NtgwpfVm](http://pastebin.com/NtgwpfVm)

~~~
danso
Chuckling at a few of the passwords of these unfortunate accounts, such as
"trustnoone"

Considering that Dropbox is most useful via the desktop/mobile app...meaning
that the password is rarely entered...I treat my Dropbox password as if it
were on a need-to-know basis...that is, I have no idea what it is and I have
to jump through several hoops to retrieve it for the rare times when I need to
login. I don't put anything too valuable on Dropbox, but better safe than
sorry.

~~~
smeyer
How rarely would you say you log in to Dropbox? I use it quite frequently to
access the website to access files when not on a computer with my full dropbox
synced locally.

~~~
calinet6
Any good password manager (eg: 1Password) has a mobile app for easy access as
well. Worth the investment.

------
Stormcaller
why is hotmail so popular in this list? I thought gmail was the most used and
even yahoo seems to go on par with gmail here.

May it be because they didn't actually hack dropbox but just hacked about 400
accounts and hotmail users were easier targets because that demographic was
more like our parents?

Also the list skips from b-e to b-i in 400 users, surely if there were 7
million email addresses this shouldn't be the case?

~~~
dangrossman
Gmail, Hotmail and Yahoo! Mail each have ~300MM uniques per month. Gmail only
became the leader, by a percentage point or so, at the end of 2012. You would
expect roughly the same number of addresses from each provider.

------
fiatjaf
Are people really sending BTC to these guys so they can release "teasers" with
so little accounts in pastebins?

~~~
Stormcaller
No, they dont, as of yet at least.

See:
[http://btc.blockr.io/address/info/1Fw7QqUgzbns7yWHH32UnmMxmM...](http://btc.blockr.io/address/info/1Fw7QqUgzbns7yWHH32UnmMxmMMwu6MC6h)

------
leke
Interesting. They wrote a blog post about security and phishing just 5 days
ago. I wonder if they already knew about the hack at this time?

[https://blog.dropbox.com/2014/10/dont-get-baited-by-
phishing...](https://blog.dropbox.com/2014/10/dont-get-baited-by-phishing-or-
malware/#more-4034)

I also wonder if this effort was spurred by Snowden's criticism of their
system?

------
pudquick
Title is a bit inflammatory. No proof, simply a few short lists of usernames
and passwords that (at the time of release) were valid to login to Dropbox.

Did they come from Dropbox? Not necessarily. Not everyone uses a unique
username+password combination for each site.

A more accurate title would be something like: Dropbox accounts potentially
compromised

~~~
fiatjaf
By "not everyone" you actually mean "no one except a few hackers that have the
means to do so by using an installed program".

------
sidcool
If true, this is a big deal. One of the websites has reported that 7 million
accounts have been hacked.

~~~
mahmud
This is the BIG question.

------
LeoPanthera
Has anyone tested those logins to see if they work?

Of course, even if they do, it could easily be passwords taken from some other
service, matched to accounts where people use the same password for
everything.

Not necessarily an indication of Dropbox itself being hacked.

~~~
minimaxir
Apparently, yes.
[http://www.reddit.com/r/sysadmin/comments/2j5xkw/has_dropbox...](http://www.reddit.com/r/sysadmin/comments/2j5xkw/has_dropbox_been_hacked_passwords_dumped_on/)

------
darekkay
Funny, it actually IS tuesday again :D
[http://www.eclectide.com/blog/2014/09/14/another-password-
le...](http://www.eclectide.com/blog/2014/09/14/another-password-leak-oh-must-
tuesday/)

------
shortstuffsushi
It would be nice if someone would write a quick script to email these people
notifying them. Maybe if I get more time tonight, I'll give it a shot.
Otherwise, someone else could be the hero ;)

~~~
sidcool
I agree, I would like to give it a try. The only problem is how do I ensure
the information is valid. I am not going to try and access the accounts, as
that would be unethical.

~~~
fiatjaf
Would it be unethical to enter anyone's house without being invited to save
the people in there from a huge fire burning the house?

~~~
vacri
Saving someone in immediate peril of death is a bit different to alerting
someone that there's been a privacy breach, which they can then deal with
themselves.

------
genesem
Two(!) days ago Snowden warned: [http://rt.com/news/195244-snowden-rid-
dropbox-privacy/](http://rt.com/news/195244-snowden-rid-dropbox-privacy/)

~~~
wmt
He warned about the NSA, who just have a court ordered direct access to all
dropbox files instead of using something as mundane as logins.

~~~
genesem
yes hi did, but also: ".. urges internet users to get rid of Dropbox". thank
to @CondoleezzaRice and nsa.

------
general_failure
Is this real? Scary. How could they get the plain text passwords?

~~~
nickodell
Perhaps they obtained the hashes, then tried bruteforcing them, and only
published the ones that they actually found.

~~~
yen223
Doubt it, there's some non-dictionary-word passwords on the list.

~~~
mehwoot
Mostly short ones though.

------
grimlck
I wonder how many people are foolish enough to store their bitcoin wallets on
dropbox, and if the hacker has already preemptively removed the funds from
those wallets.

~~~
LeoPanthera
(Most) bitcoin wallets store the private keys encrypted, so even if you could
steal them, they wouldn't do you any good unless the password was very simple.

~~~
newbrict
I put a money back guarantee that half of the users who do encrypt with a
passphrase use the same password that logs into their dropbox account... ha

------
bobbles
I've changed my password, but TBH i don't even know if that will help here as
they seem to be able to access the passwords as well??

------
harry8
Is it too controversial to say it's kind of immaterial whether its been
"hacked" when the whole thing is a honeypot anyway?

[http://www.wired.com/2014/04/dropbox-rice-
controversy/](http://www.wired.com/2014/04/dropbox-rice-controversy/)

Anything you save can and will be used against you ...

~~~
harry8
According to downvoters who don't reply, apparently yes, it is too
controversial for HN. On the other hand it's hardly a point of view that lacks
legitimacy or goes unheard amongst us.

Your private data is not safe in dropbox. The end.

------
msutherl
Do you have to worry about this if you have 2-factor auth enabled?

~~~
ChrisAntaki
So far, it appears not. Though if you reused your Dropbox password anywhere
else, resetting both would be a good idea.

------
ChuckMcM
Am I mis-remembering or didn't we see this same list before?

------
markcampbell
Step 1. Enable 2 factor authentication

Step 2. Change password

------
sidcool
Time to buy that external HDD.

