"Dropbox has not been hacked. These usernames and passwords were unfortunately stolen from other services and used in attempts to log in to Dropbox accounts. We’d previously detected these attacks and the vast majority of the passwords posted have been expired for some time now. All other remaining passwords have been expired as well."
Somebody should compare these against previous major breaches (Adobe etc.). If there was a new one you would think that they would directly name the service. Otherwise they might just be seeking attention / BTC by reposting a previous breach.
"In September 2014, a large dump of nearly 5M usernames and passwords was posted to a Russian Bitcoin forum. Whilst commonly reported as 5M "Gmail passwords", the dump also contained 123k yandex.ru addresses. Whilst the origin of the breach remains unclear, the breached credentials were confirmed by multiple source as correct, albeit a number of years old.
Compromised data: Email addresses, Passwords"
Is there some way to figure out exactly which password was compromised?
Type in your email address, you'll get the first two letters of the known password back. It should help to track down which service the password came from.
When the 5 Mil Gmail leak first happened, it was found to be a collection of gmail/pass combinations from other leaks and not a Gmail hack.
Known sources (and definitely not limited to these sites):
* Gawker (and related sites),
* Friendster,
* XTube,
* FileDropper,
* Daz3d/Bryce,
* eHarmony,
* Savage,
* Bioware,
* FreebieJeebies,
* PoliceAuctions,
* Bravenet,
* Filesavr.
If you recycled passwords, change them even if they're not in the email list. Turn on two factor for Google Accounts.
I will say that the passwords are usually very old, grabbed from some forums, and have probably been out in the wild for a while. So basically, as long as you don't use the same password everywhere for years, you're probably fine.
I used a password manager and any decent one will look for your email address and password and hashes published in the wild, to keep you safe. (i.e. https://watchtower.agilebits.com/)
I doubt dropbox was hacked. It also doesn't look like a dictionary attack.
It seems more likely that a third-party website wasn't storing passwords correctly, was hacked, and this is the list of users that use a single password for everything.
If your theory is correct, would we not expect to see the account names be a bit more random? That is to say, these are in alphabetical order and clearly coming from a large list because the letters in each progressive account are similar:
What if the guy created accounts so that people can check those are "real" and collect free bitcoins? Picking similar emails is to try to trick us into believing that he has 7 million of those.
It's also possible that they have it _all_ and none of the 3 "teasers" are indicative of the complete list. You should assume this is the case if you use dropbox, and act accordingly.
"Dropbox has not been hacked. These usernames and passwords were unfortunately stolen from other services and used in attempts to log in to Dropbox accounts. We’d previously detected these attacks and the vast majority of the passwords posted have been expired for some time now. All other remaining passwords have been expired as well."
I feel this has been done for the sole purpose of making some money from gullible people (not that making money by finding security holes is bad in itself, as long as it's also combined with some social responsibility).
Making unsubstantiated statements like "6,937,081 DROPBOX ACCOUNTS HACKED" and requests like "MORE BITCOIN = MORE ACCOUNTS PUBLISHED ON PASTEBIN" makes this whole thing seem like a scam.
Chuckling at a few of the passwords of these unfortunate accounts, such as "trustnoone"
Considering that Dropbox is most useful via the desktop/mobile app...meaning that the password is rarely entered...I treat my Dropbox password as if it were on a need-to-know basis...that is, I have no idea what it is and I have to jump through several hoops to retrieve it for the rare times when I need to login. I don't put anything too valuable on Dropbox, but better safe than sorry.
One thing to consider is that Dropbox offers free space for referrals, so there's an incentive for people to create multiple dropbox accounts that they never intend to use. It makes sense that they would choose a very weak password for that account.
How rarely would you say you log in to Dropbox? I use it quite frequently to access the website to access files when not on a computer with my full dropbox synced locally.
why is hotmail so popular in this list? I thought gmail was the most used and even yahoo seems to go on par with gmail here.
May it be because they didn't actually hack dropbox but just hacked about 400 accounts and hotmail users were easier targets because that demographic was more like our parents?
Also the list skips from b-e to b-i in 400 users, surely if there were 7 million email addresses this shouldn't be the case?
Gmail, Hotmail and Yahoo! Mail each have ~300MM uniques per month. Gmail only became the leader, by a percentage point or so, at the end of 2012. You would expect roughly the same number of addresses from each provider.
Title is a bit inflammatory. No proof, simply a few short lists of usernames and passwords that (at the time of release) were valid to login to Dropbox.
Did they come from Dropbox? Not necessarily. Not everyone uses a unique username+password combination for each site.
A more accurate title would be something like: Dropbox accounts potentially compromised
Has anyone tested those logins to see if they work?
Of course, even if they do, it could easily be passwords taken from some other service, matched to accounts where people use the same password for everything.
Not necessarily an indication of Dropbox itself being hacked.
It would be nice if someone would write a quick script to email these people notifying them. Maybe if I get more time tonight, I'll give it a shot. Otherwise, someone else could be the hero ;)
Dropbox invalidated the passwords for everyone who's on the list, according to anecdotal reports from people on Twitter. You should change your password anyway, of course.
Mail providers should be doing that already. I would be surprised if the gmail/hotmal/yahoo don't have responsive teams that disable hacked accounts and request password reset from a known IP or TFA.
Note that this was on Dropbox, not on any of the mail providers. Unless Google (et al) is going out of it's way to send emails to its users in the list, which would surprise me.
I think the point was that many people reuse their passwords, so if Google et al were proactive about it, they would force reset passwords for the emails in this leak. But I agree, that may be over-protective/paranoid in some sense...
You have to consider the chances that they might just think your warning is yet another phishing/scam email and ignore it; but then again, if these people have been reusing passwords everywhere, maybe not...
I agree, I would like to give it a try. The only problem is how do I ensure the information is valid. I am not going to try and access the accounts, as that would be unethical.
Saving someone in immediate peril of death is a bit different to alerting someone that there's been a privacy breach, which they can then deal with themselves.
Maybe, but it could definitely be illegal. Anyone could have the right intentions, but make a mistake during an act of Good Samaritan-ship and get sued.
The general pattern here is some other large site (or sites) is hacked and their passwords are either not salted, or stored in plaintext, and the people reused the same email/password combo.
It could be from reused passwords from prior unrelated password leaks, or it could be a sign of very poor security at Dropbox. My money's on the former.
By tricking people with a droqbox.com, dropbox.com.77130.cn, "increase your dropbox size" or something similar. At least that would way easier than actually hacking dropbox.
I wonder how many people are foolish enough to store their bitcoin wallets on dropbox, and if the hacker has already preemptively removed the funds from those wallets.
(Most) bitcoin wallets store the private keys encrypted, so even if you could steal them, they wouldn't do you any good unless the password was very simple.
According to downvoters who don't reply, apparently yes, it is too controversial for HN. On the other hand it's hardly a point of view that lacks legitimacy or goes unheard amongst us.
Your private data is not safe in dropbox. The end.
I backed Joey's campaign for this and made earnest attempts to use it. It's very, very difficult to use for say, backing up MP3s from main machine A to NAS and external drives. Especially on Windows, the sheer number of tiny files it creates causes most tools to grind to a halt.
http://www.techly.com.au/2014/10/14/dropbox-hacked-seven-mil...
"Dropbox has not been hacked. These usernames and passwords were unfortunately stolen from other services and used in attempts to log in to Dropbox accounts. We’d previously detected these attacks and the vast majority of the passwords posted have been expired for some time now. All other remaining passwords have been expired as well."