NEWS

Dropbox and Brazzers Passwords Hacked

A couple of weeks ago it was revealed that some 60 million Dropbox account details (including passwords) have been stolen. A couple of days ago nearly 800,000 accounts belonging to members of Brazzers, “the world’s most heavily used porno site!”, were dumped on the internet. Again, these details included usernames and plaintext passwords.

The Dropbox hack

Dropbox has forcibly required many of its users to reset their passwords and has sent an email to all users strongly advising that they reset their passwords.

The next time you visit dropbox.com, you may be asked to create a new password. We proactively initiated this password update prompt for Dropbox users who meet certain criteria.

It seems the details were obtained during a hacking “incident” dating back to 2012,

“Our security teams are always watching out for new threats to our users. As part of these ongoing efforts, we learned about an old set of Dropbox user credentials (email addresses plus hashed and salted passwords) that we believe were obtained in 2012. Our analysis suggests that the credentials relate to an incident we disclosed around that time.

KeePass 6

KeePass is a great open source cross-platform password a manager. Check out my review here

In its 2012 security update, Dropbox reported that an employee’s password had been stolen and used to access Dropbox users’ email addresses,

A stolen password was also used to access an employee Dropbox account containing a project document with user email addresses.

What Dropbox did not disclose at the time was that passwords were also stolen. Many of these were protected by an SHA1 hash function strengthened with random salt. Probably because SHA1 was still considered secure at the time, Dropbox appears to have been unconcerned at the theft of these passwords.

Unfortunately, SHA1 has now been shown to be much less secure than previously thought thanks to its vulnerability to collision attacks. Even back in 2012 however, it was known that SHA1 contained vulnerabilities, and Drobox had already begun transitioning to hashing passwords with the more secure bcrypt.

Motherboard has been able to confirm that 60 million Dropbox user account details have been dumped onto the internet. The passwords are still hashed, and around 32,000 of these are protected by bcrypt. The remaining passwords, however, are hashed using SHA1, and are therefore potentially vulnerable.

It is for this reason that Dropbox has forced a reset of all users’ passwords that date from 2012 or earlier. Unfortunately, most users do not change their passwords very often, so this covers a very high percentage of Dropbox’s customers.

The Brazzers Hack

790,724 unique Brazzers account details have been dumped on the internet. These include email addresses and associated passwords. In plaintext! These details were the result of a successful hack on Brazzers forum.

porn

This is actually a separate website to the Brazzers porn portal, but apparently accounts belonging to users who never signed up to the forum were nabbbed, and have been released to the general public.

Motherboard managed to obtain a file containing these account details from Vigilante.pw, a website that specializes in monitoring data breeches. Troy Hunt, a security researcher who runs the ‘;–have i been pwned? website was then able to verify that the data was genuine by the simply expedient of contacting Brazzers members and asking them to confirm the details.

According to a Brazzers spokesperson,

This matches an incident which occurred in 2012 with our ‘Brazzersforum,’ which was managed by a third party. The incident occurred because of a vulnerability in the said third party software, the ‘vBulletin’ software, and not Brazzers itself.

That being said, users’ accounts were shared between Brazzers and the ‘Brazzersforum’ which was created for user convenience. That resulted in a small portion of our user accounts being exposed and we took corrective measures in the days following this incident to protect our users.

So what can you do to protect your passwords?

No matter how strong the password you use, if a website you are a member of is hacked and passwords stolen, then your account should be considered compromised. This especially true if passwords are held (and leaked) in plaintext!

You should therefore change it immediately!!! Have you done that? Then relax. No! But wait! Have you reused the same password on other websites and accounts? Then change them all too. Now!

Unfortunately far too many of us are guilty of this bad practice. It means that hackers (or in the cases above, the entire internet) will have full access to every other account that you use the same email address or password for. This might well include your bank account.

Use a password manager

Passwords (or even better, passphrases that use more than one word) should be long, random, and a unique one should be used to each account you have. But who can remember even one long random string of letters, numbers, and alphanumeric, let alone many of them?

The answer, of course, is that computers can! A good password manager program will:

  • Generate strong unique passwords for every website and account that you use
  • Protect these passwords using strong encryption
  • Allow you to access all your passwords by just remembering a single “master password” (be sure to choose a good one and not divulge it to anyone else!)
  • Allow you to access your passwords on whatever device and platform you use, and to sync passwords access devices and platforms.

Sticky Password 4

Sticky Password is my choice for best commercial password managers

Password managers are therefore not only invaluable security tools, but actually make your life easier. After all, it far easier to remember just one master password than lots of them, and your password manager will even autofill logins so you don’t need to type in your details each time!

Please check out my list of 5 Best Password Managers for some of the best password manager options available.

Use 2-factor authentication

One factor authentication requires a single step to verify your identity, such as knowing your username and password. 2FA provides another layer of protection against hackers by also requiring you to have something (for example your smart phone).

 

Two-step authentication is common in secure physical work places, where in addition to needing passcodes/doorcodes etc. (i.e. what you know), employees are required to carry a smartcard, USB thumbdrive, or similar physical object to prove what they have.

 

2faBy requiring proof of ‘what you know’ and ‘what you have’, two-factor authentication greatly improves security. In the above cases, for example, simply obtaining usernames and passwords would not be sufficient to access users’ accounts. If 2FA is available, then you should always take advantage of it, and going forward, hopefully more services will start supporting 2FA.


Douglas Crawford I am a freelance writer, technology enthusiast, and lover of life who enjoys spinning words and sharing knowledge for a living. Find me on Google+

Related Coverage

More

6 responses to “Dropbox and Brazzers Passwords Hacked

    1. Hi Ralph,

      I am not familiar with Code Book, but the fact that is is proprietary software puts me off. KeePass is open source and can also be synced over Dropbox (or any other cloud service).

    1. Hi alto2,

      You are 100% right! It was remiss of me not to mention 2FA. I have now updated this article with a section on the subject.

  1. Don’t forget viable & safer methods of syncing password files. I was researching at Syncthing (and a few other solutions) when I came across your review.

    I’m partial to Syncthing because it’s p2p (no cloud storage), end-to-end encryption and supports most OSes, especially Linux.

    Great link to vigilante.pw, too! I had no idea anyone was tracking online breaches.

Leave a Reply

Your email address will not be published. Required fields are marked *