

Dropbox wasn't hacked - dctrwatson
https://blog.dropbox.com/2014/10/dropbox-wasnt-hacked/

======
jen729w
So ... what's the lesson here for our non-nerdy friends & family? I
immediately sent my closest friends a "change your Dropbox password" email,
which is still valid because, whether they were hacked or not, someone may now
have their password. Which is probably also their password to Facebook.

I suppose the question is, does it _matter_ if Dropbox was hacked or if these
credentials were gained by some other means? The end result for a poor user^
is the same.

(^Not me, of course. I use 1Password.)

~~~
digital-rubber
No offence, but in my humble opinion using 1password, or any password manager,
does not make you a better or more secure user.

Perhaps even lowers your security in ways.

Sharing the fact (with the internet) that you use a password manager, lowered
your security already, technically speaking.

I find the idea to use one password (and a private key etc) to protect all my
other accounts and passwords a bit strange, specially synced over 3rd party
servers/services.

Not to mention when people use it on devices often discussed to have ways to
eavesdrop on a user, android, iPhone. The security of the password vault is
now equal to that of that particular device. (which could be as low as no
security)

~~~
pb2au
I disagree.

When you use a password manager and separate passwords for each website,
you're effectively eliminating an entire class of potential attacks, because
any leaks from the website will not affect your accounts elsewhere (especially
bad for accounts with privileges such as your email or bank accounts).

In exchange, you use a password or key to locally decrypt the rest of your
passwords. This means for someone to have access to your password store they
have to (1) find a vulnerability in the password manager store file or (2)
obtain access to your machine. Comparing these, (1) is much less likely than
getting a password list from a server with more attack surfaces, and (2) would
also leak your passwords even without a password manager.

It may seem strange to think of all your passwords as being protected by a
single password, but the key concept is that you aren't sending that password
across the wire, but do regularly send the others. If your local machine is
insecure, it doesn't really matter whether or not you are using a password
manager.

Obviously, it would be even more secure to have different passwords for each
website and be able to remember all of them, but it's not a very reliable
method of storage and puts too large a burden on the user.

~~~
digital-rubber
Then let's agree to disagree. But points 1 and 2 that you describe are both
more likely (to specifically compromise/capture your vault unlock).

Then somebody managing to capture all my login details in different websites
with a per website login in a particular time frame, they would need a year to
capture all logins as i don't use all sites daily weekly, or even monthly.

One can discuss it short, one can discuss it long :) but you remain to put all
your (generated) eggs in a single basket. A basket (computing security does
not exist, it only delays things) that cannot be more secure then your mind.

------
hug
Interestingly enough, on the same pastebin site that the leak first appeared,
we now have someone programmatically changing the account passwords in the
leak: [http://pastebin.com/LsKrspK5](http://pastebin.com/LsKrspK5)

There's another set of account credentials here:
[http://pastebin.com/jHEjBLrQ](http://pastebin.com/jHEjBLrQ) which are all
starting with the letter A. It covers AA to AZ, and spans 900 accounts. Does
this mean there's only ~24,000 accounts compromised?

Strangely enough, that was the 'sixth' teaser. I found the fifth --
[http://pastebin.com/CsN3SrGA](http://pastebin.com/CsN3SrGA) \-- but all of
the passwords in that list are "latenightbootycalls". I cannot find the
'fourth' just yet.

(Someone let me know if the link to the paste is frowned upon. It's pretty
easy to find on Google, however, so I figure I'm doing no additional damage.)

~~~
mhandley
Like the other set of credentials, there's a relative scarcity of gmail
addresses. I'd expect dropbox accounts to be a pretty good sampling of email
addresses. Either these have had gmail addresses removed (unlikely as a few
are in there), or the list comes from somewhere where hotmail and yahoo are
more popular that gmail - wonder where that would be?

~~~
vidarh
> or the list comes from somewhere where hotmail and yahoo are more popular
> that gmail -

Unless the numbers have shifted drastically in the last year: One or both of
them are ahead of Gmail in most of the world, outside of tech circles.

------
korzun
Would be interesting to know what third party service it was and how they were
able to make that link.

Also the pastebin claimed such a large amount (6,937,081) of impacted users
but only showed a really small sample that started with the letter 'b'. Based
on that sample they were already covering letters (bf, bg, bh). So I doubt
this is anywhere near the claimed amount.

Asking for 'BTC' to leak more (who wants to pay for a public list?) is also
extremely suspect.

~~~
kolev
Why do you trust the hacker? By definition, hackers are not the trustworthy
kind. He may have 7 million emails and passwords from elsewhere and make bold
claims to collect bitcoins from lower ranks of hackers. I initially thought
that some smartass created a bunch of accounts and posted them to collect some
bitcoins from the naive. Particularly, because emails are so similar, i.e. I
speculated that he did that to simulate having a 7 million users database.

~~~
cscharenberg
It would be really interesting if a hacker found a way to harvest _new_
passwords and faked a huge data breach to get millions of people to change
their passwords. Threatening fake data breaches if not paid a ransom could be
the next profitable hacker market. It would probably work a few times, and
certainly muddy up the waters for both organizations and people. Imagine
trying to figure out how to respond when 10 major groups have a data breach
per week, but 2 of those are real and the rest are fakes. Chaos and massive
frustration.

~~~
kolev
Exactly my point! I've always wondered why journos give the wrong advice to
people and why people stupidly trust them and not a technical authority on the
subject. At the end of the day, all companies now reset passwords if
necessary, so, people should wait for the companies to tell them what to do,
and not some journo in the business of clickbaiting and scaremongering.

------
_arvin
Nipped that in the bud quite nicely. Some of those passwords were god-awful.
Moral of the story: 2FA for the win.

------
Beldur
This shows more, why we need solutions like
[http://storj.io/](http://storj.io/)

~~~
conradk
This looks nice. But unfortunately, the headline is WAY to technical for
"regular" people:

> DECENTRALIZED CLOUD STORAGE > Storj is based on the Bitcoin blockchain
> technology and peer-to-peer protocols to provide the most secure, private
> and efficient cloud storage.

"Regular" people, people that just want their stuff backed up and synced, do
not necessarily know what "decentralized cloud storage", "Bitcoin blockchain"
or "peer-to-peer protocols" are.

Also, Dropbox clearly stated that it was not hacked. I cannot imagine Dropbox
storing passwords in clear text. To me, this "hack" looks like a scam trying
to make easy Bitcoin money.

What we need is to make people aware of the security implications of using the
same password everywhere.

------
nitin_flanker
Then it is great. They are saying that the leaked credentials were obtained
from third-party services.

~~~
scrollaway
Isn't it obvious? The list giving such a small sample of b- usernames, the
passwords all super-vulnerable to simple dictionary attacks, the request for
money and what not. Some idiot got hold of a bunch of hashes (could even be
from a previous dump), bruteforced a few hundreds and cross-referenced with
known dropbox accounts. Voila.

------
mkal_tsr
Once again, the "journalists" can't be arsed to do any actual work but instead
parrot what they heard. Absolutely shameful on their part.

Edit: For those down-voting me, please explain how condemning factually
incorrect "news" is bad? Thanks :-)

~~~
hug
Which journalists? Ars Technica posted an article with the qualifying word
"apparently" in the title, weasel words like "appears" in the body, contacted
Dropbox for comment, had obviously tested the password reset functionality
since they mention it was sluggish.

Their suggestion was "reset your password anyway, and turn on 2fa". None of
this seems unreasonable.

~~~
huskyr
> Which journalists?

* Cnet: "Hackers hold 7 million Dropbox passwords ransom". [http://www.cnet.com/news/hackers-hold-7-million-dropbox-pass...](http://www.cnet.com/news/hackers-hold-7-million-dropbox-passwords-ransom/)

* Engadget: "Dropbox account passwords posted online and millions more might follow" [http://www.engadget.com/2014/10/14/dropbox-log-in-posted-onl...](http://www.engadget.com/2014/10/14/dropbox-log-in-posted-online/)

* Business Insider: "Nearly 7 Million Dropbox Passwords Have Been Hacked" [http://www.businessinsider.com/dropbox-hacked-2014-10](http://www.businessinsider.com/dropbox-hacked-2014-10)

