Email and password information for more than 68 million Dropbox users are available to be purchased in the darknet marketplace. The data set, which is a 2012 breach, incorporates users' email addresses along with the passwords. The almost 5 gigabytes of information speaks to one of the biggest users credential leaks in recent years. Its price is apparently being set at two bitcoins, that is equivalent to about $1,141 US dollars, by a data trafficker on the darknet site TheRealDeal. There are no reports that the dataset has been effectively sold yet.
Dropbox has reported the 4-year-old security breach a week ago when it conveyed a note to influenced users informing them that they would be proactively resetting their passwords. They informed users that their records were being reset in light of the fact that the organization had been informed about a conceivable threat. It must be noted that the full extent of the massive breach was reported by Motherboard and confirmed by an unnamed senior Dropbox employee several days later.
Dropbox knew about a security break in 2012 and told its users, yet says that the genuine degree and size of the hack were new data until a week ago. Patrick Heim, head of trust and security at Dropbox, said that the organization felt it had taken adequate protection measures by proactively resetting passwords. Heim included that now, there is still no proof that the user's passwords have been effectively decoded and sold.
Also Read: Dropbox Added Document Scanning And Various New Features
Hacked user credentials can be exceptionally profitable among data traders. Email and password information are normally purchased and sold on the darknet, a level of unknown and to a great extent untraceable Internet that is regularly utilized for unlawful activity, for example, drug or arms traders. Vast quantities of stolen users information can be incorporated into software that naturally cycles through email/password combinations to hack into various sites. Given that numerous individuals reuse the same passwords on different sites, this can be an extremely successful technique. Dropbox points to an employee's reused password hacked from another site as the reason for the 2012 Dropbox breach.
But, the stolen passwords from Dropbox were all either hashed or salted. Both are techniques for obscuring passwords if they fall into hackers hands. Hashing changes passwords into an altered number of arbitrary characters while salting increases the value of the end of each password. Hashing and salting can keep passwords safe in stolen databases, however, the threat with hashing and salting is that both strategies can be in the long run decoded, particularly for passwords obtained from several years ago. As of now, there is still no affirmation that any of the passwords have been effectively decoded and sold. It's one reason behind why the reported estimation of the data, at two bitcoins, is so low.
"The quality in bitcoin is a better than average marker of how profitable the hack truly was," said Bryan Seely, a cyber security master and programmer at MGT Capital Investments. "Given how low the cost is, I'd say the circumstance presumably isn't too awful." Hackers set a stolen medicinal database containing 34,000 patient records at a cost of 20 bitcoins, or $13,173 U.S. dollars, this July.
Dropbox has several high profile users that use Dropbox Business, a premium level service that offers features like unlimited data storage and additional security. It's utilized by organizations like Hyatt, Hewlett Packer, and Spotify. Dropbox Business was not launched until the 2012 breach, so these customers are unlikely to have stolen data.
Must Read: Windows 10 App: Released By Dropbox For PCs And Tablets
The hack points to the delicacy of passwords as a security measure on the web. "Passwords are outdated, they're annoying to users, they annoy IT teams, they're hard to remember," said Malcolm Harkins, the chief security and trust officer at a security company called Cylance. Harkins added that new security measures such as multi-faceted authentication are far stronger methods. At Dropbox, which offers two-step verification login for users, the rate of enrollment for the extra verification measure has increased nearly tenfold since news of the hack.
Tyler Cohen Wood, the cybersecurity adviser at Inspired eLearning, agrees, adding that users ought to take a level of moral obligation regarding their user data. "If you haven't changed your passwords since 2012, you might want to rethink your own personal password policy and change them more frequently," he said. He further included, organizations have also an obligation to completely unveil breaches. "It is always best to report potential compromises of accounts and passwords to users right away so that they can take action immediately," he added.
Must Visit Our Google+ Community Page For Latest And Updated Technology Happenings Around The Globe.