Dropbox says 68 million user IDs stolen

Dropbox's response is not good enough as they haven't answered how this can be prevented in the future. Dropbox security breaches happened in the past but did nothing at all to prevent it. So I'm giving up on Dropbox.

Dropbox's response is not good enough as they haven't answered how this can be prevented in the future. Dropbox security breaches happened in the past but did nothing at all to prevent it. So I'm giving up on Dropbox.

No system is unhackable. There is always someone who will be able to figure out how to crack it. Look at iphones they have the full weight of Apple doing their best to make sure they are unhackable, and yet the jailbreakers keep finding ways to break Apple's security.

However, the fact that Dropbox was using salted hashed passwords shows that they had correct storage of passwords in their system, and having these hashed and salted passwords does not really do much of anything for the hackers since they cannot be reverse engineered.

So what? Who cares if someones Dropox account is hacked?

Wakarimasen: So what? Who cares if someones Dropox account is hacked?

See the list of breaches at https://haveibeenpwned.com/.

Hackers possess these millions of (account names and/or email addresses) + password pairs, because they can purchase these leaked databases online.

They can check each pair against hundreds or millions of websites, and for those where the password works, they can log in to those accounts. And try wiggling the passwords a little if they don't get through with the passwords they do have.

AFP: Dropbox warned users that if they had signed up for its services before 2012 and had used the same password elsewhere, they should change that as well to protect the account.

Hackers possess these millions of (account names and/or email addresses) + password pairs, because they can purchase these leaked databases online.

Not exactly. They possess the account names and email addresses, and the salted and hashed passwords, not the passwords themselves.

They can check each pair against hundreds or millions of websites, and for those where the password works, they can log in to those accounts.

No they can't because they don't have the passwords. A hashed password is not reversible. A salted password increases the security, as the hashed passwords cannot be compared to lists of known hashes to try to reverse-guess what the password may be.

68 million clients.....I had to read the article to find out what "Dropbox" was. I guess I am a little behind the times. :(

Strangerland: Not exactly. They possess the account names and email addresses, and the salted and hashed passwords, not the passwords themselves. ... A hashed password is not reversible. ...

The problem is that many of the databases were obtained with unsalted or even plaintext passwords. And these are for millions of accounts.

You may be only talking about the DropBox breach, but my post said "list of breaches", not DropBox.

For example:

https://haveibeenpwned.com/PwnedWebsites

... Adobe ... 153 million Adobe accounts were breached with each containing an internal ID, username, email, encrypted password and a password hint in plain text. The password cryptography was poorly done and many were quickly resolved back to plain text. ...

... LinkedIn ... 164 million email addresses and passwords exposed ... The passwords in the breach were stored as SHA1 hashes without salt, the vast majority of which were quickly cracked in the days following the release of the data. ...

... MySpace ... almost 360 million accounts ... included email addresses, usernames and SHA1 hashes of the first 10 characters of the password converted to lowercase and stored without a salt. ...

... Naughty America ... The breach included data from numerous systems with various personal identity attributes, the largest of which had passwords stored as easily crackable MD5 hashes. There were 1.4 million unique email addresses in the breach. Compromised data: Dates of birth, Email addresses, IP addresses, Passwords, Usernames, Website activity ...

You may be only talking about the DropBox breach, but my post said "list of breaches", not DropBox.

Then what does that have to do with either the current conversation, or even the question you were responding to?

In this case, the passwords were hashed and salted, not stored in plaintext.

Some hackers claim to have accessed DropBox accounts.

When DropBox says their passwords were salted and hashed, basically you're trusting their word, unless you've seen the database yourself.

Also, Wakarimasen asked "So what? Who cares if someones Dropox account is hacked?".

And I explained how possession of one account via a breach of one site can mean possession of the user's accounts on many other sites.

AND, in the article just above, DropBox itself reports that (!!!):

Dropbox warned users that if they had signed up for its services before 2012 and had used the same password elsewhere, they should change that as well to protect the account.

So, are we covered? Do you want to split the hair any finer?

When DropBox says their passwords were salted and hashed, basically you're trusting their word, unless you've seen the database yourself.

Without anything to show that they are lying, there is no reason not to believe them.

Dropbox warned users that if they had signed up for its services before 2012 and had used the same password elsewhere, they should change that as well to protect the account.

The breach happened in 2012, so the hashed passwords are out there. While the hashing cannot be reversed at this time, that could happen at another time in the future. Advising people to change their passwords is a smart move to prevent them from potential future culpability.

SL: Without anything to show that they are lying, there is no reason not to believe them.

You're so trusting.

Googling "dropbox's password breach", on the first page there is a hit to an article that links to another article written by someone who obtained the leaked databases, "Troy Hunt". He says around half the passwords were hashed without salt, or had the salts included in the leak (that's around 34 million). He verified this by unhashing his and his wife's password entries in the leaked Dropbox databases.

http://arstechnica.com/security/2016/08/dropbox-hackers-stole-email-addresses-hashed-passwords-68m-accounts/

https://www.troyhunt.com/the-dropbox-hack-is-real/

He says around half the passwords were hashed without salt, or had the salts included in the leak (that's around 34 million). He verified this by unhashing his and his wife's password entries in the leaked Dropbox databases.

Ok, so some of the hashed passwords are out there. They are still hashed, just not salted. The rest of them are salted.

So it still stands, no one has anyone's dropbox password. They have hashes of the passwords. It would be a good idea to change that password in case yours was one that was salted, but if you are using strong passwords in the first place, then having the hashed password and even having the salt isn't going to do the hackers much of anything.

if you have a dictionary password + a few random numbers then you already have a problem, but since the passwords were salted hash passwords they are of very little use if you have commonsense passwords.

SL: "OK, so some of the hashed passwords are out there. ... but if you are using strong passwords in the first place, ..."

"Some of" = ~34 million!

And lots of people don't use strong passwords.

And the definition of 'strong' has changed:

https://www.schneier.com/blog/archives/2013/06/a_really_good_a.html

A Really Good Article on How Easy it Is to Crack Passwords

Ars Technica gave three experts a 16,000-entry encrypted password file, and asked them to break them. The winner got 90% of them, the loser 62% -- in a few hours.

The list of "plains," as many crackers refer to deciphered hashes, contains the usual list of commonly used passcodes that are found in virtually every breach involving consumer websites. "123456," "1234567," and "password" are there, as is "letmein," "Destiny21," and "pizzapizza." Passwords of this ilk are hopelessly weak. Despite the additional tweaking, "p@$$word," "123456789j," "letmein1!," and "LETMEin3" are equally awful....

What was remarkable about all three cracking sessions were the types of plains that got revealed. They included passcodes such as "k1araj0hns0n," "Sh1a-labe0uf," "Apr!l221973," "Qbesancon321," "DG091101%," "@Yourmom69," "ilovetofunot," "windermere2313," "tmdmmj17," and "BandGeek2014." Also included in the list: "all of the lights" (yes, spaces are allowed on many sites), "i hate hackers," "allineedislove," "ilovemySister31," "iloveyousomuch," "Philippians4:13," "Philippians4:6-7," and "qeadzcwrsfxv1331." "gonefishing1125" was another password Steube saw appear on his computer screen. Seconds after it was cracked, he noted, "You won't ever find it using brute force."

Which is why I don't use it.

F%$G the cloud.