For hackers, years-old leaks of millions of people's private credentials don't expire. Instead, they become a kind of collector's item.
Since people so often reuse passwords, or use easily guessable variations on a theme, the data in a trove of usernames and passwords can help bad actors access all sorts of accounts, whether it's from last week or half a decade ago. Now the latest old hack to resurface has exposed 68 million user credentials from Dropbox, and its apparent age shouldn't be much comfort to anyone whose data was stolen.
Last week Dropbox announced that it had performed a mass account reset and would prompt users who hadn't changed their passwords since mid-2012 to do so. The company wrote, "Our security teams are always watching out for new threats to our users. As part of these ongoing efforts, we learned about an old set of Dropbox user credentials (email addresses plus hashed and salted passwords) that we believe was obtained in 2012. Our analysis suggests that the credentials relate to an incident we disclosed around that time."
In 2012 Dropbox had saidthat spammers were using credentials obtained in breaches of other websites to access some Dropbox accounts. The company added that one of its employees' accounts had been compromised this way, revealing more user email addresses stored there in a document. But Dropbox failed to offer any hint at the scale of the breach---either last week or in 2012---and it's now clear the data spill is far larger than their careful public statements let on.
Late yesterday, Motherboard reportedthat it had acquired the stolen trove of Dropbox credentials and that it contained no less than 68,680,741 account records. A senior Dropbox employee told the publication that the credentials were legitimate, and data leak compiler and security researcher Troy Hunt has since chimed in to agree.
Dropbox says that it hasn't seen evidence of intrusion on the compromised accounts, and they've all had their passwords reset as of last week. The company has been encouraging users to enable two-factor authentication (which it also did in 2012) and is suggesting that users change their passwords on other sites if they ever reused a Dropbox password somewhere else. You can check if your data is included in the breach using Hunt's tool HaveIbeenpwned.
The good news is that the passwords in the data dump are hashed, and what was actually exposed is that scrambled data---the output from running passwords through a cryptographic algorithm. But some were protected using bcrypt, which is believed to be a more robust algorithm, while some used SHA-1, an older, weaker hashing function.
Dropbox has certainly been in damage-control mode, characterizing the password reset in emails to affected users as "purely a preventative measure." But if Dropbox left affected users' passwords unchanged since 2012, that may have offered hackers in possession of the leak enough time to crack the cryptographic hashes and access not only their Dropbox accounts, but any other account where they reused that cracked password. "Having investigated parallel types of cases in prior years ... when you have large-scale password leaks like this, the ramifications get felt at a lot of organizations for a long time," says Ryan Kazanciyan, chief security architect at network security firm Tanium. He compares the leak to the recent breach of years-old Linkedin user data, which has since become a powerful tool for password crackers. "It just became an easy starting point for password guessing, because everyone had access to the dump."
By resetting affected victims' passwords, Dropbox has now taken the basic steps necessary to respond to the hack. But here's hoping the next data breach target takes those "purely preventative measures" a few years faster.
