Business owners who use Dropbox have been warned to update their passwords and watch out for phishing attacks, following the leak of almost 60 million users’ data last week.
The cloud data storage company suffered a security breach in 2012, which at the time the company claimed to be limited to a singular document containing users’ email addresses. However, Fairfax reports the breach is in fact much more serious, with almost 69 million accounts affected.
The leaked data includes the email addresses of all these accounts, along with hashed and salted passwords. Dropbox has taken action to protect affected users, forcibly changing passwords for those who signed up to Dropbox before mid-2012 and have not changed their password since then.
Hashing and salting is a method used globally to protect stored passwords from being deciphered, as passwords are almost never stored as plain text. Michael McKinnon, cyber security expert and director at Sense of Security, told SmartCompany this means only some Dropbox users should be worried.
A mix of two different hashing algorithms, one called bcrypt and the other called SHA-1, protected the stored passwords. McKinnon says the bcrypt protected passwords are “much more complex”, requiring more computing power to crack.
However, SHA-1 protected passwords are easier to decipher, with hackers being able to run programs processing millions of attempts per second to decipher the algorithm.
“It is definitely not impossible for these passwords to be cracked, and it’s even more likely if users are using weak passwords,” McKinnon says.
McKinnon says passwords less than eight characters with simple structure, such as “123456”, are “trivially easy” to crack. McKinnon recommends all affected Dropbox users change their passwords to prevent breaches on other accounts where they might have used the same password.
“Changing any duplicate passwords you have is the best failsafe against these sort of data breaches,” McKinnon says.
“My own account was compromised in the leak, but as I only used that password for Dropbox, I wasn’t overly concerned. We live in a world where you simply cannot afford to use the same password more than once.”
It is not known if data held within user’s Dropbox accounts is at risk, with McKinnon saying that’s the “$64 million question.”
McKinnon recommends businesses de-link old devices that were used to sign in to Dropbox, which can be done in the security settings area of the website.
Old devices, such as computers and phones, can potentially still contain Dropbox login details, which can be used to access the accounts contents.
As for the email addresses leaked, McKinnon believes businesses won’t have much to worry about. However, phishing attacks such as the one that targeted Victorian businesses last month are what SMEs should watch out for.
“You have to expect that email addresses are public anyway, but the thing is that now hackers know that this email address is linked to a Dropbox account,” McKinnon says.
“Businesses should now be aware of phishing attacks that ask you to login to your Dropbox account for weird reasons, as hackers will be targeting people based on this data.”
Dropbox Head of Trust and Security Patrick Heim also warned users of these attacks, saying in a statement: “Individuals who received a notification from Dropbox should also be alert to spam or phishing”.
“This is not a new security incident, and there is no indication that Dropbox user accounts have been improperly accessed. Even if these passwords are cracked, the password reset means they can’t be used to access Dropbox accounts,” Heim said.
“While Dropbox accounts are protected, affected users who may have reused their password on other sites should take steps to protect themselves on those sites.”
LeakedSource also revealed yesterday the data of 44 million users of music streaming website Last.fm has been leaked, which also stems from a breach in 2012.
The passwords from this breach were hashed, but unsalted, the algorithm being “so insecure it took us two hours to crack and convert”, LeakedSource said. The salting process simply injects random data into the hash algorithm, making no sure no two same passwords have the same hash data.
“If there’s no salt, it’s an easy job for hackers to crack passwords on a mass scale. Salting passwords means they each have to be cracked individually,” McKinnon says.
LeakedSource revealed the top 50 most used passwords from the data breach, all of which were well below recommended password security levels. More than 250,000 users had ‘123456’ as their password, followed by 92,000 people using ‘password’, and 66,000 using ‘lastfm’.
Last.fm has not commented on the data breach at time of publication and have not responded to SmartCompany’s enquiry.
As always, this serves as a timely reminded for Internet users everywhere to update their password security, with even Facebook founder Mark Zuckerberg being guilty of poor password security.
Worried users can use a service such as Have I Been Pwned to check if their credentials have been compromised.