Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security

Hackers Stole Account Details for Over 60 Million Dropbox Users 66

The Dropbox hack is more severe than we expected. Motherboard has the details: Hackers have stolen over 60 million account details for online cloud storage platform Dropbox. Although the accounts were stolen during a previously disclosed breach, and Dropbox says it has already forced password resets, it was not known how many users had been affected, and only now is the true extent of the hack coming to light. Motherboard obtained a selection of files containing email addresses and hashed passwords for the Dropbox users through sources in the database trading community. In all, the four files total in at around 5GB, and contain details on 68,680,741 accounts. The data is legitimate, according to a senior Dropbox employee. Security expert Troy Hunt has corroborated on Motherboard's claims, and has updated Have I Been Pwned website where you can go and see if you're among one of the victims.
This discussion has been archived. No new comments can be posted.

Hackers Stole Account Details for Over 60 Million Dropbox Users

Comments Filter:
  • by Anonymous Coward

    Was just a matter of time. It's why I was adamantly opposed to anyone putting this on a business workstation. Dropbox was never HIPAA compliant.

    • by Adriax ( 746043 )

      I got a telemarketer calling me and a dozen other people at my work trying to convince us to purchase what he called a dropbox integrator for citrix.
      Then half an hour later I saw this story. I just wish I had seen this first so instead of politely telling him to go away I could have just laughed until he hung up.

  • Is there anyone who uses the Internet that has NOT been affected by a malicious hack?

    Let's just make everything easy and all use the password 12345.

    That's the smartest password I've ever heard of in my life! That's the kinda thing a genius would do ... I've got the same combination on my luggage!

    • ... I've got the same combination on my luggage!

      I don't bother with locks on my luggage anymore. TSA just cuts them off -- even the "TSA approved" locks they have a key for -- as would anyone who wants to break in.

    • I actually have yet to see a report on a hack for any websites that I use.
    • by dbIII ( 701233 )

      Is there anyone who uses the Internet that has NOT been affected by a malicious hack?

      Plenty, unless you count failed attacks that are the persistent background noise of the net.
      Dropbox however have been exceptionally, indeed hilariously incompetent with security at times - which makes them "special".
      For some time people were treating it as a high speed bittorrent replacement - if you knew the hash and filename of somebody else's file you could get it from dropbox. So you could go to the pirate bay, find th

  • by Anonymous Coward

    What about those accounts that used Google to log into dropbox? I've seen an increase in that lately, sites using services like Google or Facebook to log in users.

  • by ravrazor ( 69324 ) on Wednesday August 31, 2016 @11:55AM (#52803435)
    Just FYI, although slashdot postings have never been extremely literate: Nobody corroborates ON something, you just corroborate something, i.e. I corroborated the claims about Dropbox. At least someone may have learned something on slashdot today.
    • by b0bby ( 201198 )

      And if we're going to go there: you can't be "among one of the victims", you' could be either among the victims or one of the victims.

      • It's also missing an article 'the' or a possessive 's' from the sentence snippet "and has updated Have I Been Pwned website"

      • And if we're going to go there: you can't be "among one of the victims", you' could be either among the victims or one of the victims.

        Well, one of the victims could be spread out over a large area, and could be among it.

      • that is a style thing not a grammar rule. Pendactics are always the slowest in the class tbh.
    • Not true, someone could corroborate the story ON the toilet.
    • by NotAPK ( 4529127 )

      Possible misuse of "collaborate"? We certainly "collaborate on" projects.

  • by __aaclcg7560 ( 824291 ) on Wednesday August 31, 2016 @12:09PM (#52803515)
    I played around with the https://haveibeenpwned.com/ [haveibeenpwned.com] website, confirming that very old email addresses were compromised in the last few years. But how legit is this website?
    • by Richard_at_work ( 517087 ) on Wednesday August 31, 2016 @12:16PM (#52803555)

      Extremely legit, Troy Hunt goes to great lengths to ethically report breaches, hiding "sensitive" results (so you cant search someones email to see if they were an Maddison Ashley account holder, for example) as well as verifying a dataset is authentic (there are fake ones going around).

      You should sign up to that site immediately, if you havent already. You get email notifications if a new breach includes your email address, which is worth it alone.

      • Urgh, thats Ashley Madison, the dating site for people wanting to have affairs...

      • they listed my account as pwned in the myspace hack. I've never been to myspace let alone registered an account. In fact I'd go so far as to say the hack predates the email they say was compromised.
        • by cdrudge ( 68377 ) on Wednesday August 31, 2016 @12:48PM (#52803755) Homepage

          Is it possible that your email account was previously used by someone else, or that someone else signed up under your account?

          Also not all the data necessarily pertains to log in account data. Perhaps your email address was a backup contact address, a friend's contact, referral, etc. There's lots of ways some basic information about you could be "compromised" with an data breach even if you never had an actual account.

        • Same here, my e-mail address is showing as "pwned" for Gamigo, a German online publisher which I never heard of.

  • Motherboard obtained a selection of files containing email addresses and hashed passwords for the Dropbox users through sources in the database trading community.

    What the hell is the database trading community?

  • Just for giggles I went there and put in my throw away email that I use to register to crap. apparently I was "pwned" in the myspace hack. Funny thing is I've never had a myspace account. Ever. i'm not calling bullshit, but when the site tells me I'm owned and asks for a donation, I'm going to question it. But I know 100% I have never registered a myspace account.
    • by Anonymous Coward

      Same for me. I've never had a myspace account, but the junk email I checked was part of that compromise. Could be other spammers registering accounts with my email though, as I've seen that happen no less than 5 times with my email address being used to create junk Facebook accounts. They are never fully activated because they can't get the verification email, but it still creates a partial account which generates junk activity emails, which is very annoying. Part of the reason I am changing to a new email

    • by Striek ( 1811980 )

      He doesn't actually ask for donations. He provides a way to donate because people have repeatedly expressed strong desires to donate to the project for the service they receive. He doesn't mince words on the time investment required, though.

      Why donate?
      Ok, so donations. Many people love this service and to my surprise, many have actually asked to donate. In all good conscience, I can't on the one hand write about how awesome and cost effective Azure is then on the other hand ask for donations to fund it. It's cheap — I've got it covered.

      Let me instead talk about the sacrifices required to make a service like this work. It can be enormously time consuming and that's the real cost here. Plus there are a few services I pay for out of my own pocket to make the magic happen. If you want to kick in to help me cover those costs, that would be awesome. And no problem if you don't want to either; just share the love and help others make use of the service.

    • Just for giggles I went there and put in my throw away email that I use to register to crap. apparently I was "pwned" in the myspace hack. Funny thing is I've never had a myspace account. Ever. i'm not calling bullshit, but when the site tells me I'm owned and asks for a donation, I'm going to question it. But I know 100% I have never registered a myspace account.

      And you're sure that you've been the only person to own that email address? My throw away email address got leaked in a hack and someone used it to sign up for an instagram account without my knowledge or consent. I get emails from Instagram all the time saying that there is suspicious activity associated with the account i never created. So one day I went to instagram and did the password recovery on that throw away account and, sure enough, they let someone create and use an account without me ever au

      • I have my own domain which I use for email. One very unpleasant week a spammer decided to use my domain name to allegedly send email from, using a very large numbers of fictitious accounts in that domain. I was hit with something on the order of four thousand backscatter spam messages in one day. If you have a first name that's not too rare in the US, there has been at least one email sent with your name @ my email domain.

    • I just put in the bogus e-mail I have always used bob@bob.com and that appears to have been breached 48 times and also has 48 pastes.
  • I suppose I could encrypt and upload, but that feels like too much hassle to me. Got my encrypted external drives to plug into the USB. Am I missing something?
  • Those dasterdly demons. According to 'Have I Been Pwned', I've been pwned on three sites that I've never visited. Surely that requires some very sophisticated hacking. I was offered more detailed information in return for a donation/subscription.

No spitting on the Bus! Thank you, The Mgt.

Working...