Dropbox Hack

Dropbox Hack: a reader asks…

I read about how Dropbox got hacked and lost 70 million user logins. I use Dropbox, do I need to worry?

Actually, you can spend your worry-beads on something else. Had your account been at risk, Dropbox would have asked you to change your password. This hack is worrisome for a certain subset of Dropbox users: those who’ve had accounts since 2012 or before, and those who’ve never changed their password since about mid-2012. And while upwards of 68 million credentials were stolen and put on the dark web, only a fraction of those credentials belonged to that subset of Dropbox users.

What’s more, the credentials that were compromised were the username/email address and a “hash” of the password. That means that the hash (some were bcrypt hashes and some were SHA1 hashes) would need to be converted into the actual password. That’s not a big deal for bad actor hackers, but certainly not something anyone can do. But it’s certainly a serious breach, and I’m a little disappointed that Dropbox waited so long to come clean.

But this, like every other publicized hack (there’s no shortage of these) simply reinforces the security mantra: use unique and unguessable passwords, and change them anytime you even suspect a possible compromise. And use a password manager (I like LastPass by the way).

Unfortunately, many consumers don’t pay enough (or any) attention to security, and we’re getting close to the point where we’ll just have to say, “You were warned”. Anyone can be hacked, and credentials stolen and put on the market for hackers to gain illicit access. That’s a fact of life now, and the consumer only has three possible courses of action:

1. Ignore it and hope you don’t get hacked (you will, sooner or later)
2. Stop using consumer technology (ok, had to put that in, it’s a valid but unrealistic option)
3. Start taking the security of your digital life seriously

Please, please be in the last group. Get yourself a password manager, and as you visit online places (email, websites, etc.) change whatever password you had with a unique one generated by the password manager. Your password manager will keep track of the dozens (hundreds?) of passwords you’ll now be using, so you don’t have to. Everywhere possible, turn on two-factor authentication (Dropbox makes this easy, see their help file) so that nobody can get into your accounts without having more than just your username/email and password. Two-factor authentication requires you to have a cell phone with text messaging, or a smartphone with an authorization app (like the Google Authenticator).

Whenever your username and password are used, the site sends a code to your smartphone (or you use a code from the authenticator app) to verify that you are the one accessing your account. This independent means of validating your identity helps ensure that even if your login credentials are stolen, the hackers still can’t get into your accounts. More and more online places are enabling two-factor authentication, so be sure to check with them and turn it on as soon as it’s available. Many social networking sites, banks and financial institutions, and email service providers are now enabling two-factor authentication. If you don’t see it yet, keep checking back, and let the site webmasters know that this is an important thing to have.

---

This website runs on a patronage model. If you find my answers of value, please consider supporting me by sending any dollar amount via (send to @PosiTek), (send to Support@PosiTek.net), using any credit card (no Paypal account required), using Zelle, Apple Pay or Google Pay, or by mailing a check or cash to PosiTek.net LLC 1934 Old Gallows Road, Suite 350, Tysons Corner VA 22182. I am not a non-profit, but your support helps me to continue delivering advice and consumer technology support to the public. Thank you!

Go to Top of Page