Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: Dropbox Breach - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Dropbox Breach

Dropbox has just been added to the myriad of sites that have been hacked.  It seems that back in 2012 there was a breach and around 60 million accounts were stolen.  There is now evidence surfacing that the details from the accounts are out there.  Dropbox is forcing password changes for a number of users that have been affected. 

I don’t use dropbox but have a number of our employees that do so I went to www.haveibeenpwned.com to check their accounts.  Sure enough I had a couple that were included in the list.  I immediately notified the users to change their dropbox passwords.  Out of curiosity I checked my email addresses… I use several for security purposes.  I found that 3 of mine were listed.  One was for a potential breach at Logmein.com.  They notified me several weeks ago and when I logged in I was forced to change my password.  I felt pretty good about that.  However, what I discovered today is that I also had a potential breach from Adobe.com which I was not notified of on 2 of my email addresses.  I forgot that I had even setup an account on the one email address.  I also discovered that I had a potential breach on an email address that I no longer use for myspace.com.  Of course, no way to change this password because that email address has been done away with. I requested my account to be removed. Hopefully, they will take care of that. Interesting that I have a subscription to one of the so-called financial protection sites that are supposed to be watching for these and notifying me when it happens.  I was notified by them about 6 weeks after I received the email from Logmein that I may have been breached.  They have never notified me of the others.  I guess I will keep an eye on my email addresses using the previously mentioned website.

I then started looking at some key email addresses here in the company.  One of them had a potential breach on linkedin.com.  I notified the user and his response was so why would they steal LinkedIn information.  My response, not sure…  Perhaps they are banking on people using the same password for other accounts such as banking/credit card accounts.  If they happen on to the email address in some other “breach” (such as your bank or your credit card) they will try the password.  His response was might be a good time to change some passwords.

An article on Motherboard concerning the breach states:

This is just the latest so-called “mega-breach” to be revealed. This summer, hundreds of millions of records from sites such as LinkedIn, MySpace, Tumblr, and VK.com from years-old data breaches were sold and traded amongst hackers.

Perhaps it is a good time to change those passwords as well. I try not to use the same password for multiple sites and I strive to use good strong passwords. I have devised a scheme in creating my passwords that allows me to recall the password from any site even though all of the passwords are different. 

Many thanks to Troy for the haveibeenpwned.com website. 

For more information about the Dropbox breach see …

http://motherboard.vice.com/read/hackers-stole-over-60-million-dropbox-accounts

https://www.troyhunt.com/the-dropbox-hack-is-real/

Deb Hale

Deborah

272 Posts
ISC Handler
"I have devised a scheme in creating my passwords that allows me to recall the password from any site even though all of the passwords are different."

If YOU can recall the password based on your scheme, and your email is in 2 or more breaches (or even just 1 depending on how simple/complex your scheme is), the bar is lowered for someone else trying to figure out your scheme either through specific targeting of your address or automated analysis of the password breaches. I'm just saying using a good password manager with 2-factor auth to access it and purely random passwords for your logins would likely be more secure than a mnemonic-based password scheme that someone could write scripting logic against to determine your scheme.
Anonymous

Posts

Sign Up for Free or Log In to start participating in the conversation!