September 25, 2016

Alleged Dropbox hack underlines danger of reusing passwords

Dropbox(LiveHacking.Com) – News broke yesterday of an alleged hack on Dropbox that could have potentially leaked the passwords of millions of users. An anonymous hacker posted a few hundred usernames and passwords on Pastebin and claimed that they were for Dropbox accounts. The leaked list is for accounts with email addresses starting with the letter “b”. The opening text stated that Dropbox had been hacked and that the hacker had access to some 6,937,081 credentials. The hacker then asked for Bitcoin donations in exchange for more leaked passwords.

Dropbox was swift to reply to the allegations and said that recent news articles claiming that it was hacked weren’t true. “The usernames and passwords referenced in these articles were stolen from unrelated services, not Dropbox. Attackers then used these stolen credentials to try to log in to sites across the internet, including Dropbox,” wrote Anton Mityagin from Dropbox.

In a further update Dropbox said it had also checked a subsequent list of usernames and passwords that had been posted online, and that the second list was also not associated with Dropbox accounts.

If Dropbox is telling the whole truth, then it seems likely that the hackers have generated a list of user names and passwords from previous security breaches on non-Dropbox related sites and have tried their luck to see which users are using the same password on multiple sites. “Attacks like these are one of the reasons why we strongly encourage users not to reuse passwords across services,” added Mityagin.

Dropbox users who have used the same password on their Dropbox account and on another websites should change their Dropbox password immediately. For an added layer of security, Dropbox users can also enable 2 step verification.

Dropbox adds another layer of security

(LiveHacking.Com) – Dropbox has added the option for users to activate two-factor authentication when accessing the cloud-based storage service from the web or from a desktop/mobile device. The move comes after a recent security incident where spammers got hold of the email addresses of some Dropbox users. After an investigation Dropbox blamed the security failure on an employee who reused his work password on a website that had been hacked.

With the new two-step authenticaton, a security code is needed to login along with the normal username and password. The security code is issued by a mobile authenticator app (available for iOS, Android, Blackberry and Windows Phone 7) or sent by SMS to the user’s phone.

To use the new security layer, go to the  Security tab in your Dropbox account settings and enable two-step verification in the “Account sign in” section. To confirm the action, you will need to re-enter your password. You can then choose to receive the security code by text message or by using a mobile app.

Dropbox supports any app that uses the Time-based One-Time Password (TOTP) protocol, including the following:

For those worried about the “inconvience” aspect of enabling the extra step during authrenication, fear not! On the desktop or when using a mobile app, you will only need the code the first time you sign in. For web access there is also the option to mark a computer/browser as trusted, meaning you won’t need to re-enter a code again (unless you delete your cookies).

Dropbox have also added a way for users to check all recent account logins, like the  two-factor authentication settings, this is on the Security tab. Further setup instructions are also available in the Dropbox Help Center.

Dropbox investigating how spammers got hold of email addresses

(LiveHacking.Com) – Dropbox is investigating why some of its users have been receiving spam to email addresses associated with their accounts. The problems began during Tuesday when some European Dropbox users started complaining  on the support forums that they had started to receive spam. There is nothing unusual about spam nowadays, but this spam was going to email addresses that had been specially created for use with Dropbox and aren’t used anywhere else.

Later, at around 3 p.m. ET, Dropbox went down and users were unable to log in and access their files.  Then by early evening (USA time) Dropbox issued a statement: “We‘re aware that some Dropbox users have been receiving spam to email addresses associated with their Dropbox accounts. Our top priority is investigating this issue thoroughly and updating you as soon as we can. We know it’s frustrating not to get an update with more details sooner, but please bear with us as our investigation continues.”

According to a post in the forums by someone who appears to be a Dropbox employee, the site outage (at around 3 p.m. ET) “was incidental and not caused by any external factor or third-party.” In the same post “Joe G.” wrote “We wanted to update everyone about spam being sent to email addresses associated with some Dropbox accounts. We continue to investigate and our security team is working hard on this. We’ve also brought in a team of outside experts to make sure we leave no stone unturned.” He also wanted to assure users that Dropbox hasn’t had “any reports of unauthorized activity on Dropbox accounts.”

The BIG question is how have the spammers got hold of the email addresses? There are two possibilities. First, Dropbox has suffered a security breach in which email addresses have been stolen. During such a breach hackers could have also taken the account passwords but have chosen not to use them but rather use only the email addresses to try to generate money via spam, or the passwords where hashed and salted and the hackers have been unable to crack them. The second possibility is that there is a vulnerability in Dropbox’s APIs, either web or in the SDK/protocols, that are allowing the spammers to capture email addresses without knowning any other user details.

Which ever it is, this could be a serious dent in the credibility for Dropbox and cloud storage in general.