Month: September 2016

Dropbox’s Big, Bad, Belated Breach Notification

Posted on

69 Million Dropbox Passwords Compromised; Last.fm Reportedly Breached in 2012

To the annals of super-bad historical mega breaches that no one knew about, add a new entry: file-hosting service Dropbox. Separately, music service Last.fm also was reportedly breached badly in 2012, although that has yet to be independently confirmed.

See Also: Disrupt Attack Campaigns with Network Traffic Security Analytics

Dropbox's Big, Bad, Belated Breach Notification

On Aug. 27, Dropbox began alerting customers that if they had signed up to the service before mid-2012 but not changed their passwords since mid-2012, then they would be required to do so.

Dropbox’s Aug. 27 alert suggests that the service might not know which users have changed their passwords since mid-2012.

“We recently learned about an old set of Dropbox user credentials (email addresses plus hashed and salted passwords) that we believe were obtained in 2012,” Dropbox says on its website, indicating it first heard related rumors in mid-August. Resetting the passwords that it believes may have been exposed “ensures that even if these passwords are cracked, they can’t be used to access Dropbox accounts,” the alert notes.

Dropbox first learned about that breach in 2012 and issued an alert to users in July of that year, saying it had traced the breach to an employee reusing their corporate password across multiple sites. The company said it added new security features designed to protect against such breaches. But at the time, Dropbox evidently failed to comprehend the true magnitude of the breach and forced relatively few password resets.

What’s belatedly come to light, however, is that as a result of that 2012 breach, details for almost 69 million user accounts – including email addresses and hashed passwords – were stolen. The information reportedly began circulating recently on underground forums.

More Historical Mega Breaches

This year has seen a spate of mega breaches belatedly coming to light. Four announced in May came from MySpace – the date of its breach remains unclear, though it’s obviously not recent; LinkedIn, which disclosed that its 2012 breach resulted in 165 million passwords being compromised; Tumblr, which warned that 65 million accounts were breached in 2013, prior to its acquisition by Yahoo; and “adult social network” Fling, which said that 41 million accounts were breached in 2011.

On Sept. 1, paid data breach site Leaked Source described yet another old, alleged breach, this one hitting music service Last.fm. Leaked Source claims that the service was hacked in March 2012 and data on 43.6 million users – including usernames, email addresses and passwords – was stolen. While that breach has yet to be independently verified, Leaked Source says that it successfully cracked 96 percent of the site’s unsalted passwords, which had been hashed with MD5.

Last.fm didn’t immediately respond to a request for comment on that report.

Dropbox Breach: Worse than Believed

Dropbox’s Aug. 27 breach alert arrived just a few months after several identity theft services misreported that user data from the site had been leaked (see Dropbox Confident Amidst Breaches).

It turns out, however, that the 2012 Dropbox breach appears to have been much worse than originally believed. Indeed, sometime after Dropbox was hacked in mid-2012, “a large volume of data totaling more than 68 million records was subsequently traded online and included email addresses and salted hashes of passwords, half of them SHA-1, half of them bcrypt,” says Troy Hunt, who runs the free Have I Been Pwned? website.

Security experts laud bcrypt as an excellent, purpose-built password-hashing algorithm, but warn that SHA-1 – as well as MD5 – are deprecated and shouldn’t be used. Dropbox, to its credit, in recent years appears to have phased out SHA-1 in favor of bcrypt.

Technology news site Motherboard reports that it obtained a sample of the data that hackers allegedly stole from Dropbox, and that it contains details relating to 68.7 million accounts, including email addresses and hashed passwords. It says that an unnamed, senior Dropbox employee confirmed that the information was legitimate.

Dropbox couldn’t be immediately reached for comment on that report.

But Hunt says he independently reviewed the data and found it to be authentic. He acknowledges that it contains old passwords set by him and his wife.

The Dropbox passwords were salted, which refers to the practice of adding data to a password before it gets run through a one-way hashing algorithm, which makes it more difficult for attackers to crack. Whenever users enter their password in the site again, it gets salted and run through the password-hashing algorithm, and if there’s a match, then the site knows the password is authentic.

Hunt says that while the passwords are salted, that doesn’t mean they were invulnerable. “The risk is they may be cracked, but their password hashing approach means that’s only likely with bad passwords,” Hunt says via Twitter.

Hunt has added the Dropbox breach to his website’s list of the top 10 breaches of all time. It currently holds sixth place, behind breaches of Adobe (152 million accounts exposed), China’s Badoo (112 million) and Russian social media site VK (93 million), among others.

Enable Two-Step Verification

Two safeguards against breaches that may happen today, but not be revealed until well into the future, are to use unique passwords for each site – thus blocking attackers from reusing the credentials to log into other sites – as well as to enable two-step authentication whenever possible. The latter means that even if attackers obtain a user’s valid password, they can’t use it unless they can somehow also obtain, for example, a one-time verification code.

After it was hacked in July 2012, the next month Dropbox introduced two-step verification as a free option for all users. Today, it works via text messages or a mobile app, generating a unique six-digit security code that users must enter to log in. The authentication feature also works with some types of security keys – small USB or near-field communication devices that typically get carried on a keychain and are used as the second step for verification.

 

Advertisements

Yahoo Says Hackers Stole Data on 500 Million Users in 2014

Posted on

By NICOLE PERLROTHSEPT. 22, 2016

The announcement of the breach at Yahoo comes as Verizon Communications moves forward with its $4.8 billion acquisition of the company. Credit Mike Blake/Reuters

SAN FRANCISCO — Yahoo announced on Thursday that the account information of at least 500 million users was stolen by hackers two years ago, in the biggest known intrusion of one company’s computer network.

In a statement, Yahoo said user information — including names, email addresses, telephone numbers, birth dates, encrypted passwords and, in some cases, security questions — was compromised in 2014 by what it believed was a “state-sponsored actor.”

While Yahoo did not name the country involved, how the company discovered the hack nearly two years after the fact offered a glimpse at the complicated and mysterious world of the underground web.

The hack of Yahoo, still one of the internet’s busiest sites with one billion monthly users, also has far-reaching implications for both consumers and one of America’s largest companies, Verizon Communications, which is in the process of acquiring Yahoo for $4.8 billion. Yahoo Mail is one of the oldest free email services, and many users have built their digital identities around it, from their bank accounts to photo albums and even medical information.

Changing Yahoo passwords will be just the start for many users. They’ll also have to comb through other services to make sure passwords used on those sites aren’t too similar to what they were using on Yahoo. And if they weren’t doing so already, they’ll have to treat everything they receive online with an abundance of suspicion, in case hackers are trying to trick them out of even more information.

The company said as much in an email to users that warned it was invalidating existing security questions — things like your mother’s maiden name or the name of the street you grew up on — and asked users to change their passwords. Yahoo also said it was working with law enforcement in their investigation and encouraged people to change up the security on other online accounts and monitor those accounts for suspicious activity as well.

“The stolen Yahoo data is critical because it not only leads to a single system but to users’ connections to their banks, social media profiles, other financial services and users’ friends and family,” said Alex Holden, the founder of Hold Security, which has been tracking the flow of stolen Yahoo credentials on the underground web. “This is one of the biggest breaches of people’s privacy and very far-reaching.”

How to Protect Yourself After the Yahoo Attack

Yahoo said on Thursday that hackers stole the account information of at least 500 million users. Here are some answers to frequently asked questions about how you can protect yourself.

The Yahoo hack also adds another miscue to what has been a troubled sale of a long-troubled company. In July, Verizon said it would acquire the internet pioneer, roughly a month before Yahoo security experts started looking into whether the site had been hacked. It is unclear what effect, if any, the breach will have on Yahoo’s sale price.

In a statement on Thursday, a Verizon spokesman, Bob Varettoni, said his company learned of the breach of Yahoo’s systems only two days ago and had “limited information and understanding of the impact.”

It is unclear whether security testing — such as a test to see if security experts could break into the Yahoo network — was performed as part of Verizon’s due diligence process before it agreed to the acquisition.

But such security is often overlooked by investors, even though breaches can result in stolen intellectual property, compromised user accounts and class-action lawsuits. To date, no law requires such security checks as part of due diligence.

“Cybersecurity can absolutely affect a valuation, and these are important questions that investors need to be asking,” said Jacob Olcott, vice president of BitSight Technologies, a security company.

Yahoo said it learned of the data breach this summer after hackers posted to underground forums and online marketplaces what they claimed was stolen Yahoo data. A Yahoo security team was unable to verify those claims. But what they eventually found was worse: a breach by what they believe was a state-sponsored actor that dated back to 2014.

A potential breach of Yahoo’s systems was first reported by the tech news site Recode early Thursday morning.

The first sign that something was amiss appeared in June, when a Russian hacker who goes by the user name Tessa88 started mentioning, in underground web forums, a new trove of stolen Yahoo data, Mr. Holden said. In July, Tessa88 supplied a sample of the stolen collection to people in the so-called underground web for authentication.

Backup generators and buildings housing computer servers at a Yahoo facility in Lockport, N.Y. Credit Andrew Harrer/Bloomberg

The sample contained valid Yahoo user accounts, but it was unclear whether the data was from a breach of a third-party service or Yahoo itself. And it was not clear whether it came from a recent Yahoo breach or a previous incident in 2012, when the internet service acknowledged that more than 450,000 user accounts were compromised.

Then, in August, a second hacker who goes by the alias Peace of Mind began offering a large collection of stolen Yahoo credentials — including user names, easily cracked passwords, birth dates, ZIP codes and email addresses — on a site called TheRealDeal, where hackers can buy and sell stolen data, Mr. Holden said.

TheRealDeal uses Tor, the anonymity software, and Bitcoin, the digital currency, to hide the identities of buyers, sellers and administrators who are trading attack methods and stolen data.

After looking into that data, Yahoo did not find evidence that the stolen credentials came from its own systems. But it did find evidence of a far more serious breach of its systems two years earlier.

Two years is an unusually long time to identify a hacking incident. According to the Ponemon Institute, which tracks data breaches, the average time it takes organizations to identify such an attack is 191 days, and the average time to contain a breach is 58 days after discovery.

Security experts say the breach could bring about class-action lawsuits, in addition to other costs. An annual report by the Ponemon Institute in July found that the costs to remediate a data breach is $221 per stolen record. Added up, that would top Yahoo’s $4.8 billion sale price.

Thursday afternoon, Senator Mark R. Warner, a Democrat from Virginia and former technology executive, issued a statement that said the “seriousness of this breach at Yahoo is huge.”

He weighed in with a call for a federal “breach notification standard” to replace data notification laws that vary by state. Senator Warner added that he was “most troubled” that the public was only learning of the incident two years after it happened.

Michael J. de la Merced contributed reporting in San Francisco.