Hundreds of Dropbox credentials reportedly leaked online, company denies breach
A thread on Reddit late Monday linked to a cache of Dropbox usernames and corresponding passwords allegedly gleaned from a Dropbox breach, but the company maintains its servers were not infiltrated and instead placed blame on an unnamed third-party service.
Along with the approximately 400 usernames and passwords posted to Pastebin in plain text, hackers claimed to be in possession of access data for up to 7 million accounts taken directly from Dropbox servers, reports The Next Web.
In a statement issued on its official blog shortly after the leak, Dropbox denied the breach, saying user credentials were scraped from unrelated services and tested on numerous websites for compatibility.
For those who have not yet enabled two-step verification, Dropbox provides instructions on activating the security protocol built in to users' security settings. By turning on two-factor authentication, an account can only be accessed after entering in a six-digit time-sensitive code generated by specialized apps like Google Authenticator. Alternatively, the system can send out codes to a trusted device via text message.
Along with the approximately 400 usernames and passwords posted to Pastebin in plain text, hackers claimed to be in possession of access data for up to 7 million accounts taken directly from Dropbox servers, reports The Next Web.
In a statement issued on its official blog shortly after the leak, Dropbox denied the breach, saying user credentials were scraped from unrelated services and tested on numerous websites for compatibility.
Dropbox told the publication that it had previously detected the attacks, noting all passwords in the list are no longer in service, with a "vast majority" having been expired "for some time now."Recent news articles claiming that Dropbox was hacked aren't true. Your stuff is safe. The usernames and passwords referenced in these articles were stolen from unrelated services, not Dropbox. Attackers then used these stolen credentials to try to log in to sites across the internet, including Dropbox. We have measures in place to detect suspicious login activity and we automatically reset passwords when it happens.
Attacks like these are one of the reasons why we strongly encourage users not to reuse passwords across services. For an added layer of security, we always recommend enabling 2 step verification on your account.
For those who have not yet enabled two-step verification, Dropbox provides instructions on activating the security protocol built in to users' security settings. By turning on two-factor authentication, an account can only be accessed after entering in a six-digit time-sensitive code generated by specialized apps like Google Authenticator. Alternatively, the system can send out codes to a trusted device via text message.
Comments
[LIST]
[*] http://blog.agilebits.com/2014/01/12/dropbox-breach-hoax-1password-security-master-password/
[/LIST]
This isn't a Dropbox breach so it shouldn't be added. That said, I really wish Dropbox would catch up to Google and Apple with the ability to create app/platform specific passwords that will only allow itself to be used in one place, never to access their website directly, as well allow the user to specify which folder(s) can be accessed with that password to help further isolate any potential data breaches.
While that's a valid point that is isn't their fault, to the end user it is, again, 'bad dropbox news; now I need to change my password again' situation. And simply changing your password doesn't automatically log you out on any device or browser that was already logged in.
No, many things need to change at their end, your mention app/platform specific passwords being another one.
You can see which browsers and IP addresses have logged into Dropbox, as well Unlink any devices, but I don't think a password change is in order with this alleged breach.
Indeed, but that's unlinking (not syncing anymore) but you cannot 'sign all browsers out' of Dropbox from their site, like you can with Apple.
As for changing your password, if your account has indeed been accessed by someone else they already had the opportunity to download all data. Changing your password will only help to secure new (or changed) data.
edit: I see they do have two-step verification, so that's good!
Very true.
Thank goodness I've never had an account.
With that said... the next biggest problem is how to do password recovery (2FA but with randomized keys?)... and how to get people to use a password manager rather than just simply writing PW's down or worse, saving them in their email folders or notes online.
I also think that Apple has a unique opportunity to make TouchID ubiquitous and to allow it to be used in replacement of 2FA and as a unique identifier. Plus I wholeheartedly want them to turn on 256bit*** encryption of iCloud accounts/backups... and force users to opt out through advanced settings.
*** If technically feasible and only unlocked with the strong password, a random key sent to an authorized device, and TouchID... twice along the way.
Basically:
1) lock it all down... and with encryption;
2) take the keys to unintelligible decisions away from the average non-tech person;
3) rather than hasty decisions and jumping thru hoops in the set-up[S] faze[/S] phase (had a black out there), make the "lock down" decisions default... and advanced settings/opt outs later... with discouragement every step of the way.
Security can no longer be left in the hands of the average user.
NOTE: on Ars... it was reported in the comments that a number of passwords were of the simple "one word" variety that are easily brute-forced within minutes of access to a user-name. Also that many UID and PW combos were used across services, as well as across email accounts. Get the combo right, and use for many services across a users online presence.
Edited: for momentary spelling black out... :rolleyes:
It appears that most of the accounts were not hacked on DBs servers, but re-used UID and PW combos across different servers... that actually had been compromised.
DB is an OK service, depending on what you use it for. I use it as a "project box" for clients... and clean it out as soon as a project is synced or downloaded.
With that said... the next biggest problem is how to do password recovery (2FA but with randomized keys?)... and how to get people to use a password manager rather than just simply writing PW's down or worse, saving them in their email folders or notes online.
NOTE: on Ars... it was reported in the comments that a number of passwords were of the simple "one word" variety that are easily brute-forced within minutes of access to a user-name. Also that many UID and PW combos were used across services, as well as across email accounts. Get the combo right, and use for many services across a users online presence.
Edited: for momentary spelling black out...
Personally, I'd rather have them write them down if it means they'll use a longer, more complex one. Most of these people aren't having their passwords stolen locally, they're just too short to stand up to any reasonable BFA.
I spent the weekend testing all the cloud services I could and iCloud Drive was far and away the fastest. Several less expensive systems were barely dial up speed. I was able to run Blackmagic Disk Speed Test on my iCloud Drive getting 240 MB/s in both read and write which blew my mind and this from a new Mac Pro on ethernet and a MBP via WiFi and a Time Capsule Router
I wanted to test using it for running an Aperture Vault of >350 GIGs which is why I need a cloud storage system mainly. It is so fast one could run the actual Library! However, the transition to iCloud Drive from iCloud i.e. the 10.9-10.10 is still a work in progress and the upgrade to 500 GIGs doesn't apply to the iCloud Drive yet. Running Yosemite my System Preferences shows I have 500 GIGs yet I am only seeing 50 GIGs. I am guessing that 500 GIGs is currently applied to the Mavericks supported elements only at present. It will be interesting to see what happens once Yosemite is officially released hopefully this month. Will the dev version see the space available in the iCloud Drive when Apple flip a switch or only the release version I wonder?
Just my two cents, and you get 5 copies of office as well as office for iPad.
I always use the Apple automatically suggested passwords these days, given Keychain works and syncs across all my devices it's a no brainer I am puzzled why more folks don't use it? Oh .. It isn't a Yosemite only feature is it? I don't think so, although to be honest I can't even remember Mavericks these days!
That was a service i didn't test. Can you run a speed test on that? Or do you happen to know the read / write performance specs by any chance?
That's some serious speed(!) Is the iCloud drive encrypted? Can it be? Just curious. I'm using BitTorrent Sync to a secure non-local server that I own which I'm very happy with, but I would like to move a client or 2 to something like the iCloud Drive for ease of use.
The encryption part would just buttress my rants I've had in front of clients about other alternatives... :smokey:
I doubt it is encrypted but you could easily do that yourself I assume just as you could to any other attached drive. Yes, I am still in shock it the speed of the beast. Hopefully it won't slow once the unwashed hordes have access
This is what I see in Sys Prefs ... Just wish I could access it!
This is that moment I plug a Microsoft product on an Apple site, but Office 365 with One Drive is pretty fantastic, and most likely more secure than Dropbox which has a history of cloud security issues.
Just my two cents, and you get 5 copies of office as well as office for iPad.
I'm a big fan of Office 365. 5 accounts each with their own 1TB of storage for $99 a year.
Oh, and they throw in a FULL version of Office as well (including Access).