Earlier today, Motherboard reported on what had been rumoured for some time, namely that Dropbox had been hacked. Not just a little bit hacked and not in that “someone has cobbled together a list of credentials that work on Dropbox” hacked either, but proper hacked to the tune of 68 million records.
Very shortly after, a supporter of Have I been pwned (HIBP) sent over the data which once unzipped, looked like this:
What we’ve got here is two files with email address and bcrypt hashes then another two with email addresses and SHA1 hashes. It’s a relatively even distribution of the two which appears to represent a transition from the weaker SHA variant to bcrypt’s adaptive workload approach at some point in time. Only half the accounts get the “good” algorithm but here’s the rub: the bcrypt accounts include the salt whilst the SHA1 accounts don’t. It’s just as well because it would be a far more trivial exercise to crack the older algorithm but without the salts, it’s near impossible.
At first glance the data looks legit and indeed the Motherboard article above quotes a Dropbox employee as confirming it. But I like to be sure about these things and as I’ve written before, independent verification of a breach is essential. Fortunately because it’s Dropbox, there’s no shortage of people with accounts who can help verify if the data is correct. People like me.
So I trawled through the data and sure enough, there was my record:
I head off to my 1Password and check my Dropbox entry only to find that I last changed the password in 2014, so well after the breach took place. My wife, however, was a different story. Well it was partly the same, she too had an entry in the breach:
But here’s where things differed:
Now there’s three things I’d like to point out here:
- My wife uses a password manager. If your significant other doesn’t (and I’m assuming you do by virtue of being here and being interested in security), go and get them one now! 1Password now has a subscription service for $3 a month and you get the first 6 months for free.
- Because she uses a password manager, she had a good password. I’ve obfuscated part of it just in case there’s any remaining workable vector for it in Dropbox but you can clearly see it’s a genuinely random, strong password.
- She hadn’t changed the password since April 2012 which means that assuming Dropbox is right about the mid-2012 time frame, this was the password in the breach.
With that, it was off to hashcat armed with a single bcrypt hash and the world’s smallest password dictionary containing just the one, strong password. Even with a slow hashing algorithm like bcrypt, the result came back almost immediately:
And there you have it – the highlighted text is the password used to create the bcrypt hash to the left of it. There is no doubt whatsoever that the data breach contains legitimate Dropbox passwords, you simply can’t fabricate this sort of thing. The only places that password ever existed was in her strongly encrypted 1Password keychain and on Dropbox’s servers. It confirms the statement from Dropbox themselves, but this is the kind of thing I always like to be sure of.
As for Dropbox, they seem to have handled this really well. They communicated to all impacted parties via email, my wife did indeed get forced to set a new password on logon and frankly even if she hadn’t, that password was never going to be cracked. Not only was the password itself solid, but the bcrypt hashing algorithm protecting it is very resilient to cracking and frankly, all but the worst possible password choices are going to remain secure even with the breach now out in the public. Definitely still change your password if you’re in any doubt whatsoever and make sure you enable Dropbox’s two-step verification while you’re there if it’s not on already.
There are now 68,648,009 Dropbox accounts searchable in HIBP. I’ve also just sent 144,136 emails to subscribers of the free notification service and a further 8,476 emails to those using the free domain monitoring service.