Posted on Sep 22, 2016
Resurfacing data breaches have made themselves known in a big way and they’re here to stay. We covered the resurfacing of LinkedIn’s massive 2012 data breach that resulted in 100M user accounts and passwords leaking in 2016. Yahoo’s major data breach resulting in 500M email account and passwords being leaked is the result of a 2014 breach. And two other massive hacks have resurfaced, putting even more organizations and users at risk. We’re covering the recent Last.fm and Dropbox resurfaced hacks to show how you can protect yourself from hackers exploiting the leaked data and how companies can better protect their own data and their users’ data in the case of a data breach incident.
In June of 2012, three months after LeakedSource, an informational service dedicated to detailing major data breaches had confirmed, Last.fm, announced that their user passwords were leaked and all users should change their passwords. Last.fm, a music tracking and analytics company connected this leak to other leaks happening around the same time and noted that their announcement was merely a precautionary measure.
However, at the end of August, LeakedSource announced that it received a copy of the Last.fm leaked database and confirmed that it contained data on over 43.5M accounts. The dataset included usernames, email addresses, and service-related account information, among other things.
Most importantly, the dataset contained passwords hashed with an MD5 algorithm, an old form of password hashing that is susceptible to brute-forcing attacks and other cracking tools and techniques no longer in use. Compounding the issues was the fact that the passwords weren’t salted, which was the same issue in the LinkedIn data breach. ‘Salting’ an additional method of protection that makes any effort to crack the passwords much harder. Due to the lack of proper protection in place today, LeakedSource was able to crack over 96% of the passwords in less than two hours and by the time all the passwords were cracked, there were some embarrassing results.
Sophos tallied the passwords cracked by LeakedSource and tallied the top ten most common passwords. At the top was ‘123456’, followed by ‘password’, and the, ironically ‘lastfm’. These patterns in passwords make it easier for malicious hackers to guess commonly used passwords across other accounts if they have an associated email address, and in the case of the ‘lastfm’ password, know that users may just use the name of the service for the password.
Fortunately, while the Dropbox hack was larger, they employed better security measures.
At the end of July 2012, Dropbox wrote a blog post detailing that passwords and usernames stolen from other websites were being used to sign into Dropbox accounts and one was used to “access an employee Dropbox account containing a project document with user email addresses.” In response, Dropbox noted that they contacted the users who had their accounts affected and took additional precautions in order to prevent more issues from stemming.
Fast-forward to the end of August 2016, where Vice’s Motherboard initially reported having received a 5GB dataset containing over 68.5Muser accounts and hashed passwords, verified by a senior Dropbox employee. Troy Hunt, a leading independent researcher on verifying data breaches, looked deeper into the leaked data and found his user account and 2012 password, as well as that of his wife’s.
Numerous articles came in and more details followed including the fact that the original stolen usernames and passwords came from the LinkedIn 2012 data breach. As mentioned in our coverage, the lack of salts in LinkedIn encrypted passwords made the passwords easily crackable. The Dropbox hack was possible because an employee reused their LinkedIn password for their Dropbox account. When a malicious hacker tried the stolen LinkedIn password on the employee’s Dropbox account, they were able to infiltrate Dropbox and access their data.
A further look into the data dump brings good news and bad news. The good news is that Dropbox has contacted account holders and reset passwords of all potentially affected customers assuring them that there’s no evidence of an account being improperly accessed. Even more good news is that the passwords were encrypted with a salt, protecting users further.
Unfortunately, the bad news is that about half the leaked passwords had a different cryptographic algorithm from the other half. One half used a SHA-1 cryptographic algorithm, a weaker hash function that has been replaced by SHA-2 and SHA-3 variants. The other half was encrypted using bcrypt, a more secure hashing function. Currently, there’s no clear way to know, from an account-level perspective, which passwords have the stronger algorithm in place. Regardless, users should change their Dropbox passwords and change any passwords that may reuse the initial Dropbox passwords to avoid cross-account compromise.
The ways in which these companies encrypted their data and responded to the breach and subsequent resurfacing lead to important takeaways for both individuals and organizations.
There are several key takeaways for both businesses and individuals in mitigating the risk data breaches and leaked passwords involve.
To prevent further damage from both the Last.fm and Dropbox data breaches, organizations should:
Individuals should also be taking the role of employees here and following this advice as well.
In a scenario where an organization is breached and sensitive information is leaked, the Dropbox and Last.fm hacks show that the manner in which passwords are encrypted or hashed makes a significant difference in how easy the information can become publicly available and viewable. For organizations that use user accounts and passwords as part of their customer experience, for example, an email provider or application company, organizations should:
Resurfaced data breaches are likely to be more common as hackers practice careful diligence prior to infiltrating an organization’s network and exfiltrating the accessed data. In the meantime, organizations and individuals should practice basic security measures when it comes to password management and user data protection in order to minimize any widespread damage.
Vendor management is the process an organization utilizes to assess and manage a third- or fourth-party vendor. Learn how SecurityScorecard can help.
Performing cybersecurity risk assessments is a key part of any organization’s information security management program. Read our guide.
Templates and vendor evaluations are needed to level that playing field, in a time efficient and fair way, so that the best vendors are chosen.
Co-founder and CEO, Alex Yampolskiy, speaks about the importance of measuring and acting on key indicators of cybersecurity risk.
You’ve invested in cybersecurity, but are you tracking your efforts? Check out our list of 20 cybersecurity KPIs you should track. Read more.
No waiting, 100% Free
Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.