Dropbox and Last.fm Hacks Resurface: A Lesson in Password Encryption
Resurfacing data breaches have made themselves known in a big way and they’re here to stay. We covered the resurfacing of LinkedIn’s massive 2012 data breach that resulted in 100M user accounts and passwords leaking in 2016. Yahoo’s major data breach resulting in 500M email account and passwords being leaked is the result of a 2014 breach. And two other massive hacks have resurfaced, putting even more organizations and users at risk. We’re covering the recent Last.fm and Dropbox resurfaced hacks to show how you can protect yourself from hackers exploiting the leaked data and how companies can better protect their own data and their users’ data in the case of a data breach incident.
Last.fm data breach last seen in 2012, resurfaces in 2016 with over 40M unsalted passwords
In June of 2012, three months after LeakedSource, an informational service dedicated to detailing major data breaches had confirmed, Last.fm, announced that their user passwords were leaked and all users should change their passwords. Last.fm, a music tracking and analytics company connected this leak to other leaks happening around the same time and noted that their announcement was merely a precautionary measure.
However, at the end of August, LeakedSource announced that it received a copy of the Last.fm leaked database and confirmed that it contained data on over 43.5M accounts. The dataset included usernames, email addresses, and service-related account information, among other things.
Most importantly, the dataset contained passwords hashed with an MD5 algorithm, an old form of password hashing that is susceptible to brute-forcing attacks and other cracking tools and techniques no longer in use. Compounding the issues was the fact that the passwords weren’t salted, which was the same issue in the LinkedIn data breach. ‘Salting’ an additional method of protection that makes any effort to crack the passwords much harder. Due to the lack of proper protection in place today, LeakedSource was able to crack over 96% of the passwords in less than two hours and by the time all the passwords were cracked, there were some embarrassing results.
Sophos tallied the passwords cracked by LeakedSource and tallied the top ten most common passwords. At the top was ‘123456’, followed by ‘password’, and the, ironically ‘lastfm’. These patterns in passwords make it easier for malicious hackers to guess commonly used passwords across other accounts if they have an associated email address, and in the case of the ‘lastfm’ password, know that users may just use the name of the service for the password.
Fortunately, while the Dropbox hack was larger, they employed better security measures.
The Dropbox 2012 hack resurfaces, exposing 68M accounts and passwords
At the end of July 2012, Dropbox wrote a blog post detailing that passwords and usernames stolen from other websites were being used to sign into Dropbox accounts and one was used to “access an employee Dropbox account containing a project document with user email addresses.” In response, Dropbox noted that they contacted the users who had their accounts affected and took additional precautions in order to prevent more issues from stemming.
Fast-forward to the end of August 2016, where Vice’s Motherboard initially reported having received a 5GB dataset containing over 68.5M user accounts and hashed passwords, verified by a senior Dropbox employee. Troy Hunt, a leading independent researcher on verifying data breaches, looked deeper into the leaked data and found his user account and 2012 password, as well as that of his wife’s.
Numerous articles came in and more details followed including the fact that the original stolen usernames and passwords came from the LinkedIn 2012 data breach. As mentioned in our coverage, the lack of salts in LinkedIn encrypted passwords made the passwords easily crackable. The Dropbox hack was possible because an employee reused their LinkedIn password for their Dropbox account. When a malicious hacker tried the stolen LinkedIn password on the employee’s Dropbox account, they were able to infiltrate Dropbox and access their data.
A further look into the data dump brings good news and bad news. The good news is that Dropbox has contacted account holders and reset passwords of all potentially affected customers assuring them that there’s no evidence of an account being improperly accessed. Even more good news is that the passwords were encrypted with a salt, protecting users further.
Unfortunately, the bad news is that about half the leaked passwords had a different cryptographic algorithm from the other half. One half used a SHA-1 cryptographic algorithm, a weaker hash function that has been replaced by SHA-2 and SHA-3 variants. The other half was encrypted using bcrypt, a more secure hashing function. Currently, there’s no clear way to know, from an account-level perspective, which passwords have the stronger algorithm in place. Regardless, users should change their Dropbox passwords and change any passwords that may reuse the initial Dropbox passwords to avoid cross-account compromise.
The ways in which these companies encrypted their data and responded to the breach and subsequent resurfacing lead to important takeaways for both individuals and organizations.
How individuals and companies can protect their own data and safeguard against future data breaches
There are several key takeaways for both businesses and individuals in mitigating the risk data breaches and leaked passwords involve.
To prevent further damage from both the Last.fm and Dropbox data breaches, organizations should:
- Inform their employees of the breaches and urge them to change their passwords if they haven’t already
- Urge them to change any passwords that have been reused from the Dropbox or Last.fm accounts, especially if they share the same associated email address.
- Engage in security awareness training and focus on the importance of not reusing passwords and using difficult-to-guess passwords
- Recommending two-factor authentication for Dropbox services in case employees are still worried that a malicious actor can access their account.
Individuals should also be taking the role of employees here and following this advice as well.
In a scenario where an organization is breached and sensitive information is leaked, the Dropbox and Last.fm hacks show that the manner in which passwords are encrypted or hashed makes a significant difference in how easy the information can become publicly available and viewable. For organizations that use user accounts and passwords as part of their customer experience, for example, an email provider or application company, organizations should:
- Salt users’ hashed passwords. Salting passwords is a minimum requirement of protecting user data and ensures that in the case of a data breach, hackers will have a much harder time cracking passwords.
- Use a secure, high quality, password hashing algorithm. Paragon Initiative has a good up-to-date post on which algorithms are best for protecting users’ passwords. They rank Argon2 as the top algorithm but also note bcrypt, scrypt, Catena, Lyra2, Makwa, and yescrypt as acceptable alternatives.
- Be prompt in their actions. Whether or not any malicious activity has been detected, organizations are quick to reset user passwords and communicate discovered issues to pre-empt any severe consequences.
Resurfaced data breaches are likely to be more common as hackers practice careful diligence prior to infiltrating an organization’s network and exfiltrating the accessed data. In the meantime, organizations and individuals should practice basic security measures when it comes to password management and user data protection in order to minimize any widespread damage.
For SecurityScorecard customers, the ‘Information Leak’ security category factor will show you any sensitive information belonging to your organization or your vendor that has leaked due to a breach incident or other malicious activity.