Earlier this week, my colleague Chris from Threatpost penned an article about how Dropbox forced a password reset for users who had not changed their passwords since 2012. At the time of his post, Dropbox called the move “purely a preventative measure.”
Back in 2012, Dropbox was the victim of a security breach that caused headaches and spam for users of the service. Four years later, the full extent of the breach is now coming to light after a cache of Dropbox user credentials was discovered online. Last night, Motherbaord reported that the databases making their way around the database trading community were real and comprised more than 68 million Dropbox accounts.
In the post, Motherboard noted that Dropbox had not seen evidence of malicious account access. Of the 68 million-plus accounts, approximately 32 million are secured with bcrypt; the rest are hashed with SHA-1.
What does this mean?
According to Motherboard’s report, the Dropbox data dump is not currently listed on the major dark web marketplaces, presumably because when passwords are adequately secured, their value to criminals diminishes. Given that this story is still developing, I suggest keeping tabs on Threatpost; they’ll have rapid coverage should things change.
What should you do?
In the grand scheme of things, this breach is just another one to add to the ever-growing list of data dumps from megasites. It joins LinkedIn, MySpace, Tumblr, OKCupid, and Spotify (x2), among others. Criminals find value in account credentials, and we know that hackers are gonna hack, so what we need to do as citizens of the digital world is to be smarter about how we secure our digital lives. As with any major breach, we will bang the drum on five essential tips for online security:
1. Use strong passwords and change them regularly. Can we all agree that keeping the same password for four years is not a good idea? Beyond that, passwords should both be easy to remember and strong (for an exercise in creating strong passwords, try our password check tool).
— David Emm (@emm_david) August 10, 2015
2. Delete old accounts. When we reported on Myspace in May, a common piece of snark on our internal chat was, “Wait, people still use Myspace?” Well, no, not many do, but many dormant accounts still exist. People set up the free accounts in the early 2000s and simply forgot about them when shiny objects like Twitter and Facebook burst onto the scene and supplanted the one-time head honcho of social networks.
A good rule of thumb is to get rid of any accounts that you are not actively using. The reason for this is that if you aren’t actively managing an account — and regularly changing the password on it — you could be leaving yourself at risk, especially if you are in the habit of reusing passwords.
3. By the way: Don’t reuse passwords. I’ve mentioned it a few times already, but it deserves its own point. Just say no to reusing passwords. Sure, it makes things easy for you, but consider the password you used to join a My Little Pony community being stolen and allowing crooks into your bank account.
4. Activate two-factor authentication. Most online services enhance user security by offering two-factor authentication. They use app verification or SMS to ensure that the person attempting to get into an account is the person authorized to use the account. (Note: Dropbox offers this option.)
— Kaspersky Lab (@kaspersky) June 9, 2014
Before connecting services, think twice. Is it vital to use one login — or to create another account? The answer is up to each user, but the question is one to seriously consider.
In closing, the Dropbox data breach is another eye-opener and an important example of how criminals continue to target digital identities. We strongly advise everyone to roll the tips above into a regular security hygiene check. We have home security systems and locks for our terrestrial lives; we should be just as vigilant about our digital lives.