The Dropbox password theft has been confirmed by the company itself, but that’s not the worst of it.
Last week Dropbox sent an email to its users in which it warned us that we had to change the password if we had not done so since October 2012; The message didn’t say too much, but the company itself said it was only a preventive measure.
This is becoming more and more normal in companies that specialize in the Internet; As we have already explained in Omicrono, many of these companies monitor the Deep Web for leaks of user accounts and compare the emails with those of their own users. Since most people use the same password over and over again, this notice was intended for us to change the Dropbox password and avoid using it in other services.
Why did you receive an email from Dropbox to change your password?
So the irony has been capital when in the last few hours the true reason why Dropbox sent that email to users has been discovered. It all started in 2012, when attackers managed to break into a Dropbox employee’s system.
Initially The company claimed that the attackers only obtained an email list. users, who were in a file that was part of an internal project. This was announced by the company in 2012, and that is why nobody paid much attention, because getting an email address is very easy.
However, in the last few hours it has been discovered that actually in that attack of 2012 hackers also managed to get hold of a list of passwords associated with the email list; in total, the attackers got the access data of 60 million Dropbox users.
Not everything is bad news, eye. Those passwords were not stored in plain text, but were encrypted; At the time of the Dropbox attack it was in the middle of a migration, which is why some passwords are encrypted with the SHA-1 algorithm (the standard) while others were encrypted with bcrypt and therefore it is more difficult to crack them. Also, the passwords were skipped, meaning they had been entered with random data for decryption difficulty (a practice that should be more common than it is).
How Dropbox password theft occurred
Everything indicates that, since the passwords were encrypted, Dropbox decided not to inform users at the time and It only made the theft of email addresses public. However, these days it’s not that difficult to crack passwords, so Dropbox sent the email to make sure we changed the password.
Do you want to know the most ironic thing of all? That the 2012 attack occurred because a Dropbox employee used the same password that he used in LinkedIn to access the company’s systems. And since LinkedIn was hacked and passwords posted, it was relatively for attackers to try the same password.
Dropbox has confirmed that it is currently avoiding such practices and giving employees a 1Password password manager license to create strong and unique passwords for each service and to access corporate systems. However, the lack of transparency is a big mistake that should not be repeated at this point.