Dropbox Accounts compromised

Status
Not open for further replies.
Onemufc

Onemufc

Herald
Earlier today, a thread surfaced on Reddit offering up 400 Dropbox usernames and passwords in plain text, with a note that over seven million accounts have been compromised in total. Dropbox has since announced on its blog that it wasn't hacked, and that the leaked passwords were stolen from a third party service.

Dropbox has not been hacked. These usernames and passwords were unfortunately stolen from other services and used in attempts to log in to Dropbox accounts. We'd previously detected these attacks and the vast majority of the passwords posted have been expired for some time now. All other remaining passwords have been expired as well.

Source:- http://www.androidcentral.com/hundr...-third-party-service-change-your-password-now
 
This is what happens when too much cross linking with other sites & services is offered nowadays.
 
I dont understand how can passwords be leaked via 3rd party services???
Do they share their database tables directly with those 3rd parties???
AFAIK APIs do not give out password... to caller... they only take passwords as input to auththenticate an user and if the password is valid they issue some kind of token or flag to inform that the user is validated...
I have never heard any API giving access to passwords that too in bulk...
Like for an authenticated user I can pull his entire friend list with their respective email ids from facebook but I would never be able to do give me passwords of all the people in the friend list of so and so user...
This sounds extremely bizarre and dodgy .....
I am very sure that the recent celebrity photo leak scandal was also from dropbox as some sites have reported the same....
Time dropbox comes up with a better explanation
and very high time companies start taking customer data security and privacy even more seriously...
 
^I guess dropbox delegates login service itself to the 3rd party services. So 3rd party services, accept the login details from the user and access the dropbox services. For eg, Titanium backup has dropbox sync feature where we need to provide login credentials to the Titananium app itself. But in FB, Google like providers handles these differently, where the credentials accepted with in the native system and then permission given to 3rd party services.
 
smnrock said:
^I guess dropbox delegates login service itself to the 3rd party services. So 3rd party services, accept the login details from the user and access the dropbox services. For eg, Titanium backup has dropbox sync feature where we need to provide login credentials to the Titananium app itself. But in FB, Google like providers handles these differently, where the credentials accepted with in the native system and then permission given to 3rd party services.
Click to expand...
Nah.. even such services can only take the username/password from the user and pass it on to drop box for authentication... Yes such services can save these passwords when user enters it in their app and those dbs can be compromised... but then also dropbox clearly should be able to identify which such service had more than 7million users....
7million is not a small no.
 
^7 million..i dont have idea at all.. where that number came from? I was just explaining how the dropbox 3rd party service integration differs from FB, Google like service providers. Asking the 3rd party provider to accept the login credentials is itself big flaw!!!
 
smnrock said:
^7 million..i dont have idea at all.. where that number came from? I was just explaining how the dropbox 3rd party service integration differs from FB, Google like service providers. Asking the 3rd party provider to accept the login credentials is itself big flaw!!!
Click to expand...
Those many account credentials are said to be in possesion of the hackers....
actually thats one tradeoff of allowing integration with other services that they do have access to your credentials...
even FB allows this.
Not only passwords... sites have access to the payment info like card no, cvv no expiry date when you use ANY site for payment.
They payment gateway does provide a particular iframe which contains all this information and then the iframe is placed on the websites...
but to give the sites the flexibility of customizing the UI they allow them to overide certain features which also includes reading the info from webpage --> (save it on website own server or not) and --> then pass this info to the bank to complete the transaction.
In this case when such sites are compromised all your card info is leaked and no one is accountable for it since such exclusions are already mentioned in site policies...
still EU is very strict with such things and has stringent checks for sites that handle payments.
 
Its very easy to design an API which passed the information to some thing called iframe provided by software solutions. And I don't think dropbox is monitoring how the 3rd party apps use the login. So, this might be a reason
 
One possibility is that these people used the leaked 5million or whatever password list from the past and tried login to various other services. You are bound to find a lot of people using same username/passwords on many sites.
 
rock_ya_baby said:
One possibility is that these people used the leaked 5million or whatever password list from the past and tried login to various other services. You are bound to find a lot of people using same username/passwords on many sites.
Click to expand...
Bang on....
Say I have million facebook credentials its not very difficult to write a script which will check the apps of each credentials and then go and exploit that account also....
Sadly dropbox will continue to deny the leak and no one will be accountable for it....
 
Status
Not open for further replies.
Top Bottom