The Dropbox data breach is a warning to update passwords

Stolen Dropbox data on 68 million user accounts has begun leaking on the internet

Recent data breaches underline the need for Internet users to regularly update the passwords for all their Internet accounts.

On Wednesday, Spotify reset the passwords of an unspecified number of users, just a day after data on 68 million accounts from Dropbox began reaching the Internet.

In a notice to users, Spotify said their credentials may have been compromised in a leak involving another service, if they used the same password for both.

“Spotify has not experienced a security breach and our user records are secure,” the company said in an email. The password reset is merely a precaution, it said.

There’s plenty of reason for Spotify to be cautious. Stolen Dropbox data, including user email addresses and hashed passwords probably taken from 2012, has begun circulating on the Internet.

Three sites that compile stolen accounts from data breaches were supplied copies of the stolen information and said it affects 68 million Dropbox users.

In addition, browser provider Opera said last week that its users’ data may have been compromised in a separate hack. That breach targeted Opera’s sync system, which stores passwords for sites that users visit, and 1.7 million users may have be affected.

Both Dropbox and Opera have already issued password resets. However, the affected passwords may also have been used for other Internet accounts. That could still give hackers a launching pad to attack users.

Fortunately, the stolen passwords from Dropbox and Opera were hashed, meaning they have to be cracked in order to be read.

That doesn’t mean hackers won't try. LeakBase, a repository for data breaches, obtained a copy of the Dropbox database and is trying to crack the passwords, which were secured using a hashing function called bcrypt.

“We are working on those, however it is taking a while,” LeakBase said in a message on Twitter.

Hackers may have tried to do the same. Dropbox says the data was probably stolen four years ago and the theft is only now becoming widely known.only now is becoming widely known.

However, bcrypt hashes are “exceptionally” difficult to crack due to the time and effort needed, said Troy Hunt, the creator of Have I been pwned?, another website that tracks data breaches. Only poorly chosen passwords that can be easily guessed are at risk, he said.

Even without the passwords, the stolen email addresses can be quite useful for hackers to attack other affiliated Internet accounts, said Adam Levin, chairman of security firm IDT911.

“All of this information becomes tiny breadcrumbs that hackers can use to guess passwords and answer security questions,” he said in an email.

Join the CSO newsletter!

Error: Please check your email address.

More about DropboxSpotifyTwitter

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Michael Kan

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place