Dropbox confirmed this week that a breach they suffered in 2012, 4 years ago, was in fact legitimate. The scope of the breach was also realized to be far worse than originally thought. Escalating to a “mega-breach” level, Motherboard found on Leakbase 5GB of files that contained 68,680,071 accounts and hashed (and salted) passwords for Dropbox users. Close to half of the accounts’ passwords were hashed using BCrypt which makes it much harder for hackers to creak it. However, the other passwords were hashed using an older and soon to be broken SHA-1 method.
You can find out if you were impacted by this and other breaches by entering your email on Have Been Pwned? which is a great resources to keep tabs on all these breaches and to easily see if you have been impacted and from where.
This leads into deeper discussion about personal account and password management to the services you use on the Internet. The Dropbox breach, that occurred in 2012, was the result of a Dropbox employee’s password reuse. That means instead of having a unique password for each service they used, the used the same password on multiple sites. Password reuse basically combines all those sites for you into one, because if one of those sites is breached, they are all breached. Even though the Dropbox hack happened four years ago the data within is still valuable.
The hackers will buy the data and put it into automated bots to use the email address and passwords (if they are cracked) on all the major sites they can. A small number will succeed through password reuse and maybe it could be a bank, retailer, or other site that would provide financial benefit to the hackers.
Here’s a screenshot from Have I Been Pwned? for an account I know. According to them this account was part of five breaches over the years. Myspace, Adobe, Tumblr, LinkedIn and Dropbox. While each of those breaches is a serious event, through the password management and account practices they are isolated to those sites alone. The primary reason is each site had its own unique password. Had that not been the case the LinkedIn profile could have been accessed without my knowledge.
User convenience and speed is the dagger in security’s heart. Easy will always win if you don’t stop and think about the consequences. People far too often assume the sites on the Internet are safe, secure and are all the same. They are not. As a user of any website, big or small, cannot trust the security and protection of your information is in their best interest. In most cases it’s not.
Time and time again as breaches are publicized it chips away they every site is not the same and the users can inadvertently open the doors to their identities and money by poor account management practices around the Internet.
As a user of the Internet no one is going to make you more secure than you can do yourself. Whether you have the knowledge or experience the steps you can take are not difficult to greatly improve your security posture and limit your exposure in the event of a leak.
Here are a few tips do integrate into your Internet use
- NEVER use the same password in two places.
- To keep track and manage your passwords leverage a password management service, I use and recommend LastPass but there are many out there to help you.
- Reset your passwords occasionally, especially on your sensitive services like your bank. Using a password management service can even reset them for you.
- Use complex password, even better passphrases.
- Stop using passwords like doggy1234, house4444, P@ssw0rd.
- Move to phrase based passwords, they are longer, harder to crack and easier to remember – My house is two stories and blue in color, a long time ago in a galaxy far far away, my dog was born in November on a saturday
- Keep an eye on the news, watch your emails and if a service ever sends you an update to reset your password do so.
- Be cautious, password resets warnings are the top phishing attempts. Don’t click on links in emails, use the sites directly.
- Sign-up for notifications on Have Been Pwned? to get alerted if your email is part of a publicized breach.
- Learn and use Two-Factor Authentication whenever a site offers it. This adds another layer of security that if your password is compromised the hacker cannot use it because the two-factor will prompt for a code that will be generated from your smartphone or sent via text to you directly.
Another good practice that I use extensively is to create “junk” email accounts for sites that I want to get a newsletter or download something from but ask for an email address. Try to not use your primary email address for everything. Keep that as close to the chest as possible. Use the primary email for banking, shopping, family and friends, etc… Use your “junk” email for newsletters, updates, non-personal business. It’s those sites that will sell your email address or get breached and your email will then get more spam, unsolicited offers, etc… When it gets overwhelmed with junk, delete the email account and create a new one. It’s perfectly fine to have multiple email accounts for various purposes. The point it to keep your sensitive data flowing into a more controlled email account and junk into throw-away accounts.
Unfortunately breaches are part of the Internet. They will happen, it’s not a matter of if but when. The scary part is most breaches go undetected for 200 days before a company realizes it. That’s 200 days of freedom of the hackers to do what they want without you knowing about it. Don’t wait for the news to tell you because they will only know when the company does and that may be months or years after the fact.
End of Line.
Binary Blogger has spent 20 years in the Information Security space currently providing security solutions and evangelism to clients. From early web application programming, system administration, senior management to enterprise consulting I provide practical security analysis and solutions to help companies and individuals figure out HOW to be secure every day.