She hadn't changed the password since April 2012 which means that assuming Dropbox is right about the mid-2012 time frame, this was the password in the breach.I've obfuscated part of it just in case there's any remaining workable vector for it in Dropbox but you can clearly see it's a genuinely random, strong password. Because she uses a password manager, she had a good password.
If your significant other doesn't (and I'm assuming you do by virtue of being here and being interested in security), go and get them one now! 1Password now has a subscription service for $3 a month and you get the first 6 months for free. Now there's three things I'd like to point out here: Well it was partly the same, she too had an entry in the breach: here's where things differed: So I trawled through the data and sure enough, there was my record: head off to my 1Password and check my Dropbox entry only to find that I last changed the password in 2014, so well after the breach took place. Fortunately because it's Dropbox, there's no shortage of people with accounts who can help verify if the data is correct. But I like to be sure about these things and as I've written before, independent verification of a breach is essential. It's not clear whether they provided the data they obtained from Leakbase to Dropbox directly or not, although it would be reasonable to assume that Dropbox has a copy in their hands from somewhere. It's just as well because it would be a far more trivial exercise to crack the older algorithm but without the salts, it's near impossible.Īt first glance the data looks legit and indeed the Motherboard article above quotes a Dropbox employee as confirming it. Only half the accounts get the "good" algorithm but here's the rub: the bcrypt accounts include the salt whilst the SHA1 accounts don't. It's a relatively even distribution of the two which appears to represent a transition from the weaker SHA variant to bcrypt's adaptive workload approach at some point in time. What we've got here is two files with email address and bcrypt hashes then another two with email addresses and SHA1 hashes. Very shortly after, a supporter of Have I been pwned (HIBP) sent over the data which once unzipped, looked like this: Not just a little bit hacked and not in that "someone has cobbled together a list of credentials that work on Dropbox" hacked either, but proper hacked to the tune of 68 million records. Earlier today, Motherboard reported on what had been rumoured for some time, namely that Dropbox had been hacked.
0 kommentar(er)
