Now there's three things I'd like to point out here: Well it was partly the same, she too had an entry in the breach: here's where things differed:
So I trawled through the data and sure enough, there was my record: head off to my 1Password and check my Dropbox entry only to find that I last changed the password in 2014, so well after the breach took place. Fortunately because it's Dropbox, there's no shortage of people with accounts who can help verify if the data is correct. But I like to be sure about these things and as I've written before, independent verification of a breach is essential. It's not clear whether they provided the data they obtained from Leakbase to Dropbox directly or not, although it would be reasonable to assume that Dropbox has a copy in their hands from somewhere. It's just as well because it would be a far more trivial exercise to crack the older algorithm but without the salts, it's near impossible.Īt first glance the data looks legit and indeed the Motherboard article above quotes a Dropbox employee as confirming it. Only half the accounts get the "good" algorithm but here's the rub: the bcrypt accounts include the salt whilst the SHA1 accounts don't. It's a relatively even distribution of the two which appears to represent a transition from the weaker SHA variant to bcrypt's adaptive workload approach at some point in time. What we've got here is two files with email address and bcrypt hashes then another two with email addresses and SHA1 hashes. Very shortly after, a supporter of Have I been pwned (HIBP) sent over the data which once unzipped, looked like this: Not just a little bit hacked and not in that "someone has cobbled together a list of credentials that work on Dropbox" hacked either, but proper hacked to the tune of 68 million records. Earlier today, Motherboard reported on what had been rumoured for some time, namely that Dropbox had been hacked.
0 kommentar(er)
