Mastodon

The Dropbox hack is real

Earlier today, Motherboard reported on what had been rumoured for some time, namely that Dropbox had been hacked. Not just a little bit hacked and not in that "someone has cobbled together a list of credentials that work on Dropbox" hacked either, but proper hacked to the tune of 68 million records.

Very shortly after, a supporter of Have I been pwned (HIBP) sent over the data which once unzipped, looked like this:

The Dropbox data across 4 text files

What we've got here is two files with email address and bcrypt hashes then another two with email addresses and SHA1 hashes. It's a relatively even distribution of the two which appears to represent a transition from the weaker SHA variant to bcrypt's adaptive workload approach at some point in time. Only half the accounts get the "good" algorithm but here's the rub: the bcrypt accounts include the salt whilst the SHA1 accounts don't. It's just as well because it would be a far more trivial exercise to crack the older algorithm but without the salts, it's near impossible.

At first glance the data looks legit and indeed the Motherboard article above quotes a Dropbox employee as confirming it. It's not clear whether they provided the data they obtained from Leakbase to Dropbox directly or not, although it would be reasonable to assume that Dropbox has a copy in their hands from somewhere. But I like to be sure about these things and as I've written before, independent verification of a breach is essential. Fortunately because it's Dropbox, there's no shortage of people with accounts who can help verify if the data is correct. People like me.

So I trawled through the data and sure enough, there was my record:

troyhunt@hotmail.com:$2a$08$W4rolc3DILtqUP4E7d8k/eNIjyZqm0RlhhiWOuWs/sB/gVASl46M2

I head off to my 1Password and check my Dropbox entry only to find that I last changed the password in 2014, so well after the breach took place. My wife, however, was a different story. Well it was partly the same, she too had an entry in the breach:

[redacted]@[redacted]$2a$08$CqSazJgRD/KQEyRMvgZCcegQjIZd2EjteByJgX4KwE3hV2LZj1ls2

But here's where things differed:

Kylie's 1Password entry for Dropbox

Now there's three things I'd like to point out here:

  1. My wife uses a password manager. If your significant other doesn't (and I'm assuming you do by virtue of being here and being interested in security), go and get them one now! 1Password now has a subscription service for $3 a month and you get the first 6 months for free.
  2. Because she uses a password manager, she had a good password. I've obfuscated part of it just in case there's any remaining workable vector for it in Dropbox but you can clearly see it's a genuinely random, strong password.
  3. She hadn't changed the password since April 2012 which means that assuming Dropbox is right about the mid-2012 time frame, this was the password in the breach.

Knowing what her original password was and having what as this stage was an alleged hash of it, if I could hash her strong password using the same approach and it matched then I could be confident the breach was legit. With that, it was off to hashcat armed with a single bcrypt hash and the world's smallest password dictionary containing just the one, strong password. Even with a slow hashing algorithm like bcrypt, the result came back almost immediately:

A cracked bcrypt hash

And there you have it - the highlighted text is the password used to create the bcrypt hash to the left of it. Now this isn't "cracking" in the traditional sense because I'm not trying to guess what her password was, rather it's a confirmation that her record in Dropbox is the hash of her very strong, very unique never-used-anywhere-else password. There is no doubt whatsoever that the data breach contains legitimate Dropbox passwords, you simply can't fabricate this sort of thing. It confirms the statement from Dropbox themselves, but this is the kind of thing I always like to be sure of.

As for Dropbox, they seem to have handled this really well. They communicated to all impacted parties via email, my wife did indeed get forced to set a new password on logon and frankly even if she hadn't, that password was never going to be cracked. Not only was the password itself solid, but the bcrypt hashing algorithm protecting it is very resilient to cracking and frankly, all but the worst possible password choices are going to remain secure even with the breach now out in the public. Definitely still change your password if you're in any doubt whatsoever and make sure you enable Dropbox's two-step verification while you're there if it's not on already.

There are now 68,648,009 Dropbox accounts searchable in HIBP. I've also just sent 144,136 emails to subscribers of the free notification service and a further 8,476 emails to those using the free domain monitoring service.

Update (the following day): I went back into my 1Password today and whilst my current password was created in 2014, it had kindly stored a previous one I'd overlooked when originally verifying the Dropbox data:

Older password from 22/09/2012

This password was replaced on the 22nd of September in 2012 so that gives you a sense of time frame that reconciles with what Dropbox has said in that the breach would have happened before this time.

So with this password I then repeated the same process as I had with my wife's and sure enough, my hash in the data set checked out - the password is correct:

My own cracked password

Both my wife's and my strong, unique password manager generated and stored passwords are the ones in the Dropbox data breach. Frankly, there was no ambiguity as to the legitimacy of this data after my wife's password checked out, but this is yet more certainty that they did indeed suffer a data breach.

Security Have I Been Pwned
Tweet Post Update Email RSS

Hi, I'm Troy Hunt, I write this blog, create courses for Pluralsight and am a Microsoft Regional Director and MVP who travels the world speaking at events and training technology professionals