Rico's rants: Was your Dropbox account hacked?

01 September 2016

Was your Dropbox account hacked?

Fortune has an article by David Meyer about yet another hack:

Dropbox recently reset many of its users passwords due to a data breach that took place back in 2012.
However, the scale of that breach has only now become apparent. According to Motherboard, the details for a whopping seventy million accounts were stolen. These details included email address and hashed (protected) passwords.
Because of the date of the breach, the only people who might be affected by this information floating around now are those who haven’t changed their Dropbox password in four years. Hence the big reset.
Security researcher Troy Hunt confirmed that the hacked data was real by checking his wife’s details for the cloud storage service.
Knowing her real Dropbox password, which dated back to 2012, he was able to confirm that the scrambled or hashed version in the hacked data was, in fact, genuine. Fortunately, he said Dropbox had done a good job of keeping those passwords hard-to-read. “The bcrypt hashing algorithm protecting it is very resilient to cracking and frankly, all but the worst possible password choices are going to remain secure even with the breach now out in the public,” Hunt wrote.
Hunt runs a very useful service called Have I Been Pwned that lets people search troves of hacked login data for their own email addresses. It now has almost all those credentials from the Dropbox breach in there, so search away.
Remember to enable two-factor authentication and to avoid sharing your passwords across multiple services; a Dropbox employee’s own lax practices enabled the theft of all this information in the first place.