[Noticia] Dropbox ha sido hackeado y han obtenido 68 millones de contraseñas


  • 0

    https://www.troyhunt.com/the-dropbox-hack-is-real/ (en inglés)

    Earlier today, Motherboard reported on what had been rumoured for some time, namely that Dropbox had been hacked. Not just a little bit hacked and not in that "someone has cobbled together a list of credentials that work on Dropbox" hacked either, but proper hacked to the tune of 68 million records.

    Very shortly after, a supporter of Have I been pwned (HIBP) sent over the data which once unzipped, looked like this:

    What we've got here is two files with email address and bcrypt hashes then another two with email addresses and SHA1 hashes. It's a relatively even distribution of the two which appears to represent a transition from the weaker SHA variant to bcrypt's adaptive workload approach at some point in time. Only half the accounts get the "good" algorithm but here's the rub: the bcrypt accounts include the salt whilst the SHA1 accounts don't. It's just as well because it would be a far more trivial exercise to crack the older algorithm but without the salts, it's near impossible.

    At first glance the data looks legit and indeed the Motherboard article above quotes a Dropbox employee as confirming it. It's not clear whether they provided the data they obtained from Leakbase to Dropbox directly or not, although it would be reasonable to assume that Dropbox has a copy in their hands from somewhere. But I like to be sure about these things and as I've written before, independent verification of a breach is essential. Fortunately because it's Dropbox, there's no shortage of people with accounts who can help verify if the data is correct. People like me.

    So I trawled through the data and sure enough, there was my record:

    <pre>[email protected]:$2a$08$W4rolc3DILtqUP4E7d8k/eNIjyZqm0RlhhiWOuWs/sB/gVASl46M2</pre>

    I head off to my 1Password and check my Dropbox entry only to find that I last changed the password in 2014, so well after the breach took place. My wife, however, was a different story. Well it was partly the same, she too had an entry in the breach:

    <pre>[redacted]@[redacted]$2a$08$CqSazJgRD/KQEyRMvgZCcegQjIZd2EjteByJgX4KwE3hV2LZj1ls2</pre>

    But here's where things differed:

    Now there's three things I'd like to point out here:

    1. My wife uses a password manager. If your significant other doesn't (and I'm assuming you do by virtue of being here and being interested in security), go and get them one now! 1Password now has a subscription service for $3 a month and you get the first 6 months for free.
    2. Because she uses a password manager, she had a good password. I've obfuscated part of it just in case there's any remaining workable vector for it in Dropbox but you can clearly see it's a genuinely random, strong password.
    3. She hadn't changed the password since April 2012 which means that assuming Dropbox is right about the mid-2012 time frame, this was the password in the breach.

    Knowing what her original password was and having what as this stage was an alleged hash of it, if I could hash her strong password using the same approach and it matched then I could be confident the breach was legit. With that, it was off to hashcat armed with a single bcrypt hash and the world's smallest password dictionary containing just the one, strong password. Even with a slow hashing algorithm like bcrypt, the result came back almost immediately:

    And there you have it - the highlighted text is the password used to create the bcrypt hash to the left of it. Now this isn't "cracking" in the traditional sense because I'm not trying to guess what her password was, rather it's a confirmation that her record in Dropbox is the hash of her very strong, very unique never-used-anywhere-else password. There is no doubt whatsoever that the data breach contains legitimate Dropbox passwords, you simply can't fabricate this sort of thing. It confirms the statement from Dropbox themselves, but this is the kind of thing I always like to be sure of.

    As for Dropbox, they seem to have handled this really well. They communicated to all impacted parties via email, my wife did indeed get forced to set a new password on logon and frankly even if she hadn't, that password was never going to be cracked. Not only was the password itself solid, but the bcrypt hashing algorithm protecting it is very resilient to cracking and frankly, all but the worst possible password choices are going to remain secure even with the breach now out in the public. Definitely still change your password if you're in any doubt whatsoever and make sure you enable Dropbox's two-step verification while you're there if it's not on already.

    There are now 68,648,009 Dropbox accounts searchable in HIBP. I've also just sent 144,136 emails to subscribers of the free notification service and a further 8,476 emails to those using the free domain monitoring service.

    Update (the following day): I went back into my 1Password today and whilst my current password was created in 2014, it had kindly stored a previous one I'd overlooked when originally verifying the Dropbox data:

    This password was replaced on the 22nd of September in 2012 so that gives you a sense of time frame that reconciles with what Dropbox has said in that the breach would have happened before this time.

    So with this password I then repeated the same process as I had with my wife's and sure enough, my hash in the data set checked out - the password is correct:

    Both my wife's and my strong, unique password manager generated and stored passwords are the ones in the Dropbox data breach. Frankly, there was no ambiguity as to the legitimacy of this data after my wife's password checked out, but this is yet more certainty that they did indeed suffer a data breach.

    https://www.theguardian.com/technology/2016/aug/31/dropbox-hack-passwords-68m-data-breach (en inglés)

    Aunque según un tipo de reddit, no pasa nada:
    https://www.reddit.com/r/news/comments/50gkgo/dropbox_hack_leads_to_dumping_of_68m_user/d741sap (inglés)

    Chillax guys, it's salted hash, not plain text. So as long as you are not using super duper simple passwords like 'password' or your username, you are prety fine. Rainbow Table is not possible since it's salted. Since there are so many passwords to try, attackers will only try the simplest and common ones.

    But still I recommend enabling 2FA especially on your Email account and password managers obviously. Also, salts of SHA1 are not leaked so those accounts are absolutely secure.

    EDIT:

    I have got lots of replies that are asking to go into detail. This is a relatively ELI5 answer.

    First of all, what is hashing (of passwords specifically)?

    Hashing is basically a one way function that converts any string of text (of any length) into a fixed number of length in a one way function (Note: Hashing also can be done on files but it's not relevant). I should emphasize on the one way function part. You CANNOT find the original string or predict any of it's properties with it's hash. And if that becomes possible, hash functions are considered dead and not safe.

    Now, no good websites should save your password in plain text. A small amount of security is storing just the hash of the passwords. eg. If your password was hello, it would hash("hello") which would give a fixed output depending on their hashing algorithm.

    eg. hash("hello") = 2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824

    So, a website would not even itself know what your password is. Everytime, you type your password, it would hash it and compare it to the database

    Now, here comes the rainbow tables part. There exists files of gigabytes in size that contain the hashes of common words and passwords.

    You could just feed '2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824' in the rainbow table and it would output "Hello". This works only on small or common strings generally depending on the algorithm. To prevent it, salting is used.

    What is salting?

    Salting is just the website adding some random characters to the end of your password and then hashing the password.

    And then, the salts are saved separately in plain text along with hash of (password+salt).

    What this does is it massively decrease the chance of rainbow attacks on dictionary words and common passwords as you have to check on per user basis. Salt also helps prevent attackers from seeing if two users have the same passwords which is another huge benefit of salting.

    I think this can be better explained by an example.

    hash("hello") = 2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824

    hash("hello" + "QxLUF1bgIAdeQX") = 9e209040c863f84a31e719795b2577523954739fe5ed3b58a75cff2127075ed1

    hash("hello" + "bv5PehSMfV11Cd") = d1d3ec2e6f20fd420d50e2642992841d8338a314b8ea157c9e18477aaef226ab

    hash("hello" + "YYLmfY6IehjZMQ") = a49670c3c18b9e079b9cfaf51634f563dc8ae3070db2c4a8544305df1b60f007

    The things that you append after the main password is the salt which is done by the websites itself.

    Now, if the attacker runs "a49670c3c18b9e079b9cfaf51634f563dc8ae3070db2c4a8544305df1b60f007" through a rainbow table, he will return no result because 'helloYYLmfY6IehjZMQ' is quite a long non common string.

    Obviously even with salts, if the salts also get leaked, super simple passwords are still affected. eg. An attacker can run a script to check if any of the user's password is 'password123' if he knows the salts of the hashes as well as the hashing algorithm.

    But if your password has some small amount of uniqueness to it, you are much much safer.

    Source of the hash and salt examples Worth a read if you are interested in detail.

    What is 2FA?

    I have got like 2 or 3 replies asking about this so I am adding it in.

    2FA is 2nd Factor Authenication. It's an extra level of security needed when logging in a website along with a password.

    It's broadly divided into two parts,

    1 Message/Call based OTP (One Time Password)

    Many of you would have used this in the past. You can enable 2FA in your email service and most major websites support this type of 2FA also. This is basically mobile message verification. You get a message evry time you login or every time you login from a new device depending on your preference which has a code that you have to type in to successfully login.

    Quite simple method but it has it's flaws i.e people calling up mobile carrier customer care and rerouting sim cards and stuff. But still really good security for someone not tech savvy.

    2 Time Based OTP.

    Requires relatively more tech saviness and is better than previous methods and more websites support this type of OTP but services like Authy have in recent times made this easier for new users.

    In it, a QR code (which is just basically a private key) is displayed which you have to scan on your mobile phone/ tablet and every 30 seconds, a new code is generated depending on the current time. It does not require internet to generate codes as they are generated by mathematics.

    There are two apps I can recommend using for this.

    1Google Authenicator: (Use this for non Google services is recommended but only if you are tech savvy or can backup your 2FA private key/QR Code)

    If you use this app for anything other than your Google, I cannot stress this enough. PLEASE backup your QR Code and save it on a flash drive or something. IF you uninstall the app, you WILL lose all your codes and maybe locked out of some of your accounts.

    2Authy (Strongly recommended for new users)

    It's basically like Google Authenicator but allows you to backup (which is encrypted client side so don't worry) your 2FA keys so you can lose your phone and uninstall the app but the data is not lost and the Authy account is tied to your mobile number.

    What are password managers?

    Password mangers store and help you generate random passwords so they are crack proof and you don't have to remember any of the passwords other than the main password of the password manager.

    Here's a list of password mangers I recommend depending on your tech saviness level:

    Depends on how techy you are.

    Lastpass:

    The simplest and one of the best ones is Lastpass. It has awesome mobile as well as browser apps and extensions respectively. It works great, encrypts client side (obviously) and simplest to use. Make sure to backup the CSV file once every few months or so from the lastpass server and put it in a flash drive you never use (and preferably encrypt the flashdrive using Bitlocker or something). This is because the encrypted data is still stored on the Lastpass server and what if Lastpass were to suddenly shut down. Backing up this file means you can import it to any other password manager anytime you want.

    Cons: If you want to use it on mobile devices, you have to pay yearly subscription fees. It may be worth it though. Second is it's stored online so make sure to backup/export the lastpass passwords once every few months just in case. And make sure to have a real long and strong password for your lastpass account so it can't be cracked as it's hashed and salted as mentioned above.

    Keepass:

    This is a much more advanced software. There are no official browser extensions or mobile apps but there are some great plugins and addons to make it work. You have to install addons if you want syncing. It works great and is easy to figure out if you are semi tech savvy.

    Really recommended for advanced users. Also recommended for new users to try out and continue using it if they like it.

    1password:

    Frankly, I would love to tell you all about it but I have never once used it. It is considered extremely good but is pretty expensive. Go check it out. It's a one time purchase and is easy to use. However I have no personal experience with it.

    I think with this I can finally conclude this comment completed over small small edits. I will still be making small edits, adding and correcting information. If you have any questions, reply or shoot me a PM.

    Si véis algo en español ponedlo :mgalletas: Bueno, nos cambiamos las contraseñas o qué? xD



  • 1

    Por eso no me gusta la nube.



  • 2

    @Xeyetor dijo en [Noticia] Dropbox ha sido hackeado y han obtenido 68 millones de contraseñas:

    Por eso no me gusta la nube.

    puedes proteger tus archivos antes de subirlo o poner una contraseña tipo: alsjdfñlasdñflajskdf



  • 3

    @Pixel dijo en [Noticia] Dropbox ha sido hackeado y han obtenido 68 millones de contraseñas:

    @Xeyetor dijo en [Noticia] Dropbox ha sido hackeado y han obtenido 68 millones de contraseñas:

    Por eso no me gusta la nube.

    puedes proteger tus archivos antes de subirlo o poner una contraseña tipo: alsjdfñlasdñflajskdf

    Con mis prejuicios no hay contraseña que los salve.



  • 4

    @Xeyetor dijo en [Noticia] Dropbox ha sido hackeado y han obtenido 68 millones de contraseñas:

    @Pixel dijo en [Noticia] Dropbox ha sido hackeado y han obtenido 68 millones de contraseñas:

    @Xeyetor dijo en [Noticia] Dropbox ha sido hackeado y han obtenido 68 millones de contraseñas:

    Por eso no me gusta la nube.

    puedes proteger tus archivos antes de subirlo o poner una contraseña tipo: alsjdfñlasdñflajskdf

    Con mis prejuicios no hay contraseña que los salve.

    pero luego es un hash, hay que sacarlo probando palabras y contraseñas normales. Si tienes algo raro..



  • 5

    Pues si tienen la mía que disfruten con fotos mías enseñando los huevos :lolol:



  • 6

    Disfruten mi nube vacía :roto2:



  • 7

    @Violacabrasmelladas dijo en [Noticia] Dropbox ha sido hackeado y han obtenido 68 millones de contraseñas:

    Pues si tienen la mía que disfruten con fotos mías enseñando los huevos :lolol:

    Dicen que te los depiles :sisi3:



  • 8

    @Pixel dijo en [Noticia] Dropbox ha sido hackeado y han obtenido 68 millones de contraseñas:

    @Violacabrasmelladas dijo en [Noticia] Dropbox ha sido hackeado y han obtenido 68 millones de contraseñas:

    Pues si tienen la mía que disfruten con fotos mías enseñando los huevos :lolol:

    Dicen que te los depiles :sisi3:

    Ya lo hago :moonwalk:



  • 9

    Fue en 2012 :nusenuse:
    La putada es que ahora prueban tu contraseña y tu email en todos los servicios de internet
    Yo estoy en la lista con las 4 cuentas que hay en la familia :nusenuse:



  • 10

    @marty dónde está esa lista? :roto2:



  • 11


  • 12

    @marty dijo en [Noticia] Dropbox ha sido hackeado y han obtenido 68 millones de contraseñas:

    @Pixel dijo en [Noticia] Dropbox ha sido hackeado y han obtenido 68 millones de contraseñas:

    @marty dónde está esa lista? :roto2:

    Pon tu correo ahi

    https://haveibeenpwned.com

    Lo siento chavales:

    No breached accounts and no pastes (subscribe to search sensitive breaches)
    

    :sirdance:



  • 13

    Mi correo antiguo sale, que es el que usaba en 2012, desde hace poco tengo otro email y otra contraseña. Aún así, me quedarán cuentas con ese email y contraseña algún sitio sin importancia.



  • 14

    en el dropbox bien justo guardo documentos y manuales para compartir, poco me importa que lo hackeen...



  • 15

    @Cianuro dijo en [Noticia] Dropbox ha sido hackeado y han obtenido 68 millones de contraseñas:

    en el dropbox bien justo guardo documentos y manuales para compartir, poco me importa que lo hackeen...

    si no compartes esa password con otro sitio...



  • 16


  • 17


  • 18

    @marty dijo en [Noticia] Dropbox ha sido hackeado y han obtenido 68 millones de contraseñas:

    @Cianuro dijo en [Noticia] Dropbox ha sido hackeado y han obtenido 68 millones de contraseñas:

    en el dropbox bien justo guardo documentos y manuales para compartir, poco me importa que lo hackeen...

    si no compartes esa password con otro sitio...

    Ufff...me pasa como a @Cianuro , tengo una cuenta que habré usado 2 veces para enviar cosas no personales, así que por ahí me da igual,, pero tengo la mala costumbre de usar casi siempre la misma contraseña en todos los servicios :qmiedo:

    @Pixel dijo en [Noticia] Dropbox ha sido hackeado y han obtenido 68 millones de contraseñas:

    @marty dijo en [Noticia] Dropbox ha sido hackeado y han obtenido 68 millones de contraseñas:

    @Pixel dijo en [Noticia] Dropbox ha sido hackeado y han obtenido 68 millones de contraseñas:

    @marty dónde está esa lista? :roto2:

    Pon tu correo ahi

    https://haveibeenpwned.com

    Y cómo sé que la página no la han hecho ellos para hackearme :ahsisi:

    Pensé lo mismo, y más con ese nombre




Has perdido la conexión. Reconectando a Éxodo.