Blog: Why Dropbox wasn't really 'hacked'
20th October 2014
Blog: Why Dropbox wasn't really 'hacked'
News broke last week that "Dropbox had been hacked" - that 7 million user's passwords had been published. One's first reaction is that of disbelief - that a company so important and trusted by so many people could have insufficient security that such a thing could happen. Security and trust is the basis of their business model - without that, there is no Dropbox.
A few years ago, online services were more hackable but due to the number of high profile breaches, everyone has been upping their game and companies like Dropbox, Google, Facebook are at the forefront of protecting their customers and their business. Most of the high profile hacks of customer data have been of 'bricks-and-mortar companies gone online' rather than new age tech companies which started online. The challenge for these older companies is that they have legacy systems and 3rd party suppliers which were not designed for the new digital age. Security was not baked in from the start. The biggest weakness is often people not the systems.
With companies like Dropbox, hacking and online security were known knowns (is that really now part of the lexicon - ed) when the company was formed. That said, even these online companies have been hacked. Dropbox itself did suffer a previous security breach itself in 2012, but according to their statement, that was a result of a staff member's access password being revealed and someone downloading a file of email addresses.
So, back to 2014, and according to reports "7 million Dropbox account names and passwords have been published". It is inconceivable that Dropbox, a modern sophisticated service provider, or any equivalent mass service provider would not salt* and hash* their passwords such that someone would have been able to download a list of passwords (even if they had complete access to the system). There had to be another explanation. There was.
According to Dropbox, some other 3rd party services were hacked - presumably services which did not salt and hash or were compromised some other way and, given those user credentials, the hackers then tried the same username/passwords against Dropbox. Unsurprisingly, in many cases, the same username and password combination also worked on Dropbox. The hackers then collated the list of matching/valid accounts and then published the list.
So, other than verifying that a password worked, Dropbox was not hacked, and it's also unlikely that "seven million" accounts were hacked; at the time of writing the hackers published only 400. Of course, it does depend on your definition of 'hacked'. If someone uses a stolen username and password to access a service, that is technically hacking, but it's not due to any flaw in the service itself which means that every user isn't at risk.
Passwords can also be stolen by entrusting your user credentials to 3rd party apps, a method used to steal Snapchat account passwords. The theft of celebrity selfies apparently from Apple's iCloud was blamed on the users - Apple suggested that the users had used poorly chosen passwords or easy to guess security questions.
The important point here is that this incident highlights the tedious but essential practice of using different and strong passwords for all of your online (and offline!) services. This is one of the vital recommendations in our guide "The 27 Things every router user should know".
*Hashing (or a 'one way hash') is a way of encrypting and storing user passwords such that when a user enters their password, the algorithm can confirm if the password is correct (produces the same hash as is stored) but the actual password itself it not stored - the hash cannot be converted back to the password. 'Salting' is just a method of using a random seed, which prevents the reversal. Hashing without salting is not considered secure
Use a router or WiFi? Read our essential guide - Click here.
Note : This article is an editorial piece and does not necessarily reflect the views of DrayTek Corp, its staff or any associated person or company. The information is provided in good faith based on publicly available information however has not been independently verified. As such, no reliance, commercial or otherwise should be placed on the information which is provided for discussion or interest only.
Important Notice : This is an editorial opinion piece and does not necessarily reflect the views of DrayTek Corp. Information contained is presented in good faith as a topic of discussion, based on information in the public domain. No warranty is given of the accuracy of 3rd party reports relied upon, or the accuracy of information provided. If you believe anything to be in error, please contact us immediately for review and correction where appropriate. Any links to 3rd party sites are provided as a courtesy and the content of those sites are outside of our control; no warranty is given of the accuracy of any external sites.
- First Published: 18/10/2014
- Last Updated: 10/02/2015
Add a comment to this article
NOTE : All comments are reviewed before publication and may not be posted or may be redacted if the editors do not consider them helpful. The use of offensive or obscene language, copyrighted material, or advertising or promotion or linking to any other product or service is prohibited. By submitting your comment, you confirm that you are the original author and assign copyright of the content to DrayTek indefinitely and irrevocably.