September 1, 2016
Posted by on
Nobody likes to be hacked and that’s why it is confusing that people ignore the issues of password strength, reuse, good security practices; … and (maybe) not signing up for every new flashy service that comes at our browsers feeds. Then again, go ahead (sarcasm), your account is probably worth something to the wrong people. My DropBox account was exposed in a security breech a few years ago (which contains 68 million accounts – Sophos blog) – which is why I’m darn glad that I’ve been switching the password every 12 months or so, and also so very glad I’ve subscribed to a hack notification service like HaveIBeenPwned?
To be clear the notice of this hack isn’t new, we knew years ago because DropBox told it’s userbase; and everyone changed their passwords then (didn’t you!). Now is when we can see some of what got out.
You’ve been pwned!
You signed up for notifications when your account was pwned in a data breach and unfortunately, it’s happened. Here’s what’s known about the breach:
Date of breach: 1 Jul 2012
Number of accounts: 68,648,009
Compromised data: Email addresses, Passwords
Description: In mid-2012, Dropbox suffered a data breach which exposed the stored credentials of tens of millions of their customers. In August 2016, they forced password resets for customers they believed may be at risk. A large volume of data totalling over 68 million records was subsequently traded online and included email addresses and salted hashes of passwords (half of them SHA1, half of them bcrypt).
The message is clear. So this post is a PSA – subscribe to a notification service. Read a few articles on good practices, use some of it, and you’re far less likely to find your stuff being stolen by nefarious mongrels with everything to gain from you.