The Dropbox Hack - What it Means for your Organisation’s Security

It appears that the popular cloud storage service, Dropbox, was hacked at some point in 2012. The hack was made public in late August, 2016. Account details of over 60 million users were leaked, including email addresses and hashed (encrypted) passwords: (http://motherboard.vice.com/read/hackers-stole-over-60-million-dropbox-accounts)

To the everyday user, this does not seem unusual or particularly dangerous. Whilst the scope of the hack was large, Dropbox instructed its users to reset all passwords way back to 2012. Seemingly, as the company enforced users to change their passwords, little harm was done to the information residing within the cloud storage. Plus, as most enterprises don’t use commercial cloud applications to store sensitive corporate data, the Dropbox hack shouldn’t have caused much of an issue, right?

Wrong.

This leak was a fertile ground for fraudsters, cyber criminals and nation state hackers to begin hunting for victims.

Why?

  • First and foremost, the hackers now have an extensive list of email addresses of both private and corporate entities (yes, many SMBs use cloud services for storage, and even some larger corporations). These will be used for massive spamming campaigns, most likely bearing the latest form of malware- the ransomware.
  • In addition, given that over 50% of internet users re-use passwords (https://nakedsecurity.sophos.com/2013/04/23/users-same-password-most-websites/) it is very likely that the leaked Dropbox passwords are used to access many other accounts - talk about making the hackers’ lives easier when trying to penetrate multiple accounts!

Whilst around half of the leaked Dropbox passwords were protected with a strong hashing algorithm known as ‘Bcrypt’, which takes plain text passwords and puts them through an algorithm that turns the credentials into nonsense, the resulting chunks of data known as ‘hashes’, this is not foolproof. Even strong encryptions can be broken, and if the original password wasn’t strong or long enough the hackers are likely able to guess it, or to use automatic tools to decrypt it; is anyone still using “password” or “123456”? Hackers often reveal just how many people still use weak passwords.

Armed with your email address and password (or an educated guess), hackers can attempt to enter all your accounts (social media accounts, web email, etc.) and create havoc. They can take over an executive’s Facebook account and use it to make inappropriate remarks that will tarnish the company’s reputation, or they can attempt to access any system that allows remote login - like cloud based CRM. Once hackers gain a foothold in someone’s digital life, it is hard to remove, and can be used in many corrupt ways. The question is: What can corporations do about it?

Firstly, its vital to monitor the open web and darknet to try and identify such leaks before they become worse. Secondly, they must ensure that employees change their passwords, not only on the hacked site, but across all other sites and platforms. Thirdly, particular attention must be paid following the attack; cyber criminals will try to exploit the users’ details as quickly as possible, so employees must be extra vigilant to identify SPAM and spearphishing.

To demonstrate just how common the practice of re-using passwords is, note that the original breach of Dropbox (in 2012) appears to have been the result of a Dropbox employee reusing a password he had previously employed on LinkedIn, the professional social network that suffered a breach (https://www.theguardian.com/technology/2016/aug/31/dropbox-hack-passwords-68m-data-breach).

This post was written by Alon Arvatz, IntSights CPO

Stay up to Date!

Subscribe to the blog to stay up to date with all the latest industry news and updates from IntSights.