Posted on Oct 14, 2014

Fake DropBox Password Leak Allows Rippers to Flourish - $1 USD obtained

On October 13, 2014 SecurityScorecard threat intelligence monitoring sensors detected a significant rise in leaked password chatter originating from, as shown in Figure 1.1. Unidentified individuals made several postings on the website claiming to be in possession of over 7 million breached Dropbox accounts, and released a sample set of 400 to the public. The author of the posting requested donations in the form of Bitcoin with the promise to release more data. DropBox denied the breach was from their servers, and claimed that a third party had been breached. The Reddit community also examined the breach data at length in a thread. SecurityScorecard analysis of the leaked data shows no presence of special characters or mixed capitalization within the passwords, indicating that the passwords were most likely cracked with a simple dictionary file as opposed to having been stored in cleartext. Furthermore, taking into account Dropbox's official statement denying a breach of their servers, it appears that these passwords did most likely originate from a combination of different breach sources and hackers were simply running them through DropBox "checkers" looking for valid accounts. In the hacking underground, a "checker" is a script that checks long lists of e-mail:password combinations against a variety of websites looking for users that reuse their credentials. A statement issued by DropBox underscores the importance of not reusing passwords and making use of 2-factor authentication where available. Screenshot from 2014-10-15 15:50:48 Fig 1.1 - Rise in leaked password chatter from What is quite interesting about this fake breach announcement is that malicious actors are also attempting to monetize hysteria in order to extract Bitcoin and other items of digital value from people who are seeking more information about the incident. Analysis of the Bitcoin address provided in the initial first few postings shows that the author was able to extract at least 3 different transactions to obtain a total donation of 0.0032 BTC as shown in Figure 1.2 (approximately $1 USD at time of writing). The Bitcoin address is 1Fw7QqUgzbns7yWHH32UnmMxmMMwu6MC6h. Screenshot from 2014-10-15 16:25:30 Fig 1.2 - Blockchain data for 1Fw7QqUgzbns7yWHH32UnmMxmMMwu6MC6h Shortly after the first three teaser postings were made, additional posts appeared from other individuals making use of different Bitcoin addresses and spam links. This is presumably different malicious actors who are simply using copycat methodologies and the hype surrounding the breach to attempt to divert traffic and funds into their pockets. The followup fake teaser postings contained different Bitcoin addresses that had received no transactions, as well as links to adult oriented affiliate network websites where it encouraged users to sign up in exchange for breached data. Since Bitcoin blockchain information is public, it is easy to determine the success of the campaign. However, analysts have no visibility into the affiliate statistics of the rippers to gauge the successful sign ups. If the original earnings of $1 for the mastermind of this campaign is any indication, the copycats have most likely seen $0. In this case it seems the old adage is true, crime just does not pay. Original Postings - DROPBOX HACKED First Teaser - DROPBOX HACKED Second Teaser - DROPBOX hack Third Teaser Fake Postings - DROPBOX HACKED Fourth Teaser - AdFly PPC link - DROPBOX HACKED Fifth Teaser - removed by pastebin - DROPBOX HACKED Sixth Teaser - New BTC address used - DROPBOX HACKED Seventh Teaser - Links to XXX spam

Security Research in your Inbox

Thanks for siging up for the newsletter!

Our Platform

Learn How It Works

Find out how we use open source intelligence, proprietary and open data feeds, and deep machine learning systems to correlate, attribute, and prioritize risks.

Learn About the Platform

No waiting, 100% Free

Get your personalized scorecard today

Get your free scorecard and learn how you stack up across 10 categories of risk. Answer a few simple questions and we'll instantly send your score to your business email.

Get Your Free Score

Get In Touch

Thank you for contacting us!

Request a Demo

Thank you for requesting a demo!