Security analysts question Dropbox's response to hack

The security community has been sharply critical of Dropbox for not sharing pertinent details of a massive security breach initially reported in 2012. The system-wide hack of the cloud-storage firm could potentially impact up to 68 million subscribers; security experts have warned consumers and business owners to update passwords and keep a close watch on payment and online activity.

“Our security teams are always watching out for new threats to our users,” wrote Dropbox representatives in a statement to the press. “As part of these ongoing efforts, we learned about an old set of Dropbox user credentials (email addresses plus hashed and salted passwords) that we believe were obtained in 2012. Our analysis suggests that the credentials relate to an incident we disclosed around that time.”

It is unclear whether Dropbox failed to fully assess damages related to the breach or deliberately withheld information. An Oct. 13, 2014, blog post on the company’s website stated, “Recent news articles claiming that Dropbox was hacked aren’t true. Your stuff is safe. The usernames and passwords referenced in these articles were stolen from unrelated services, not Dropbox. Attackers then used these stolen credentials to try to log in to sites across the Internet, including We have measures in place to detect suspicious login activity, and we automatically reset passwords when it happens.”

Remedial actions, protections

Despite its nonchalance in reacting to the cyberattack, Dropbox has consistently promoted its two-step authentication process and has repeatedly warned against reusing passwords “across services.” Payments and security analysts have called these efforts too little, too late.

"The Dropbox hack is gathering a great deal of attention now that Dropbox has formally recognized the breach,” said John Wethington, Vice President Americas at Ground Labs Pte. Ltd., an international security company. “Sadly, this data is over four years old but still dangerous due to its scale and the fact that 50 percent of the passwords were encrypted with a relatively weak hashing algorithm.”

Wethington called the issue a reminder that no one is immune from security breaches. “Even a four-year-old breach can come back to haunt you as a vendor or customer,” he said. “It's time that vendors began taking data security seriously as a business as usual practice and not an afterthought.” Cloud storage users must protect their sensitive data by regularly changing passwords and not using the same passwords on multiple websites, he added.

Change passwords, add salt

A number of independent security analysts have confirmed the Dropbox breach, comparing it to recent episodes at LinkedIn, MySpace, Tumblr and VK.com. Joseph Cox, Contributing Writer at Motherboard, reported as many as 32 million passwords at Dropbox use hashing method ‘bcrypt’ to make passwords indecipherable to unauthorized users. “These hashes seem to have also used a salt; that is, a random string added to the password hashing process to strengthen them,” he wrote. “Dropbox has changed its password hashing practices several times since 2012, in order to keep passwords secure.”

Cox and other security analysts have seen a marked difference between bcrypt and older hashing methods such as SHA1, which they claim are less effective.

“Only half the accounts get the ‘good’ algorithm, but here's the rub: the bcrypt accounts include the salt whilst the SHA1 accounts don't,” wrote security expert Troy Hunt. “It's just as well because it would be a far more trivial exercise to crack the older algorithm but without the salts, it's near impossible.”

Hunt emphasized the importance of independent verification of all data breaches, which he said is easy to do with Dropbox, where “there’s no shortage of people with accounts who can help verify if the data is correct. People like me.”

Three-pronged security strategy

Hunt advocates the following three strategies for protecting data:

1. Use a password manager: These low-cost subscription services eliminate the need to store or remember multiple passwords.

2. Use strong passwords: Passwords with randomly generated characters and letters are better equipped to resist brute force attacks.

3. Routinely change passwords: This step limits the amount of time a stolen password might be of use to fraudsters.

Regarding the Dropbox intrusion, Hunt wrote, “Definitely still change your password if you're in any doubt whatsoever and make sure you enable Dropbox's two-step verification while you're there if it's not on already.”

Hunt praised Dropbox for its recent email communications, which mandated password changes. His wife was among the many thousands of users forced to change their passwords, despite the fact that her password was never in jeopardy.

“Not only was the password itself solid, but the bcrypt hashing algorithm protecting it is very resilient to cracking and frankly, all but the worst possible password choices are going to remain secure even with the breach now out in the public,” Hunt wrote.

Editor's Note:

The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.