Dropbox hack leads to dumping of 68m user passwords on the internet

Popular cloud storage firm Dropbox has been hacked, with over 68m users’ email addresses and passwords dumped on to the internet.

The attack took place during 2012. At the time Dropbox reported a collection of user’s email addresses had been stolen. It did not report that passwords had been stolen as well.

The dump of passwords came to light when the database was picked up by security notification service Leakbase, which sent it to Motherboard.

The independent security researcher and operator of the Have I been pwned? data leak database, Troy Hunt, verified the data discovering both his account details and that of his wife.

Hunt said: “There is no doubt whatsoever that the data breach contains legitimate Dropbox passwords, you simply can’t fabricate this sort of thing.”

Dropbox sent out notifications last week to all users who had not changed their passwords since 2012. The company had around 100m customers at the time, meaning the data dump represents over two-thirds of its user accounts. At the time Dropbox practiced good user data security practice, encrypting the passwords and appears to have been in the process of upgrading the encryption from the SHA1 standard to a more secure standard called bcrypt.

Half the passwords were still encrypted with SHA1 at the time of the theft.

“The bcrypt hashing algorithm protecting [the passwords] is very resilient to cracking and frankly, all but the worst possible password choices are going to remain secure even with the breach now out in the public,” said Hunt. “Definitely still change your password if you’re in any doubt whatsoever and make sure youenable Dropbox’s two-step verification while you’re there if it’s not on already.”

The original breach appears to be the result of the reuse of a password a Dropbox employee had previously used on LinkedIn, the professional social network that suffered a breach that revealed the password and allowed the hackers to enter Dropbox’s corporate network. From there they gained access to the user database with passwords that were encrypted and “salted” – the latter a practice of adding a random string of characters during encryption to make it even harder to decrypt.

Dropbox reset a number of users’ passwords at the time, but the company has not said precisely how many.

The hack highlights the need for tight security, both at the user end – the use of strong passwords, two-step authentication and no reuse of passwords – and for the companies storing user data. Even with solid encryption practices for securing users’ passwords, Dropbox fell foul of password reuse and entry into its company network.

Leading security experts recommend the use of a password manager to secure the scores of unique and complex passwords needed to properly secure the various login details needed for daily life. But recent attacks on companies includingbrowser maker Opera, which stores and syncs user passwords, and password manager OneLogin, have exposed the dangers of using the tool.

Picking the right password manager is just as crucial and using one in the first place.

A Dropbox spokesperson said: “There is no indication that Dropbox user accounts have been improperly accessed. Our analysis confirms that the credentials are user email addresses with hashed and salted passwords that were obtained prior to mid-2012. We can confirm that the scope of the password reset we completed last week did protect all impacted users.”

Read More

Ericsson to Start Delivering 5G Components in 2017

International groups set 2020 deadline to agree on frequencies and standards for the new equipment

Ericsson’s announcement that it would start delivering all components necessary to roll out 5G mobile-phone networks in 2017 is part of a highly competitive race for a larger seat at the table where 5G capabilities are being defined. PHOTO: CASPER HEDBERG/BLOOMBERG NEWS

STOCKHOLM— Ericsson AB on Tuesday said it would start delivering all components necessary to roll out fifth-generation, or 5G, mobile-phone networks in 2017—three years ahead of a 2020 deadline that inter-government agencies have set to agree on frequencies and standards for the new equipment.

The Swedish company, one of the world’s largest suppliers of wireless networks, said it has struck partnerships with 26 telecom carriers willing to deploy the technology, which promoters say will power self-driving cars and other connection-hungry projects.

“5G is happening now,” said Arun Bansal, head of Network Products at Ericsson.

Ericsson might appear as if it is putting the cart before the horse because the telecom industry has yet to say precisely what 5G will bring beyond broader bandwidth and smoother interaction between connected objects.

But the early marketing salvo is part of a highly competitive race in which Ericsson is sparring with rivals Finland’s Nokia Corp. and Huawei Technologies Co. of China for a larger seat at the table where 5G capabilities are being defined.

At stake are billions of dollars in future intellectual property and patent revenue.

Final 5G standards will be set by the International Telecommunication Union, a United Nations agency that coordinates information and communication technologies world-wide, after taking into consideration proposals by the industry. The most important body feeding the ITU with proposals is the Third Generation Partnership Project, or 3GPP, a telecom industry group that developed current mobile-phone standards, known as 4G.

By supplying 5G prototypes to customers, network-equipment makers are seeking to gain influence on the standard-setting process. Like Ericsson, Nokia and Huawei said they also were testing future equipment with customers.

Industry officials say they expect 5G standardization rounds to be hotly disputed, citing in part a shrinking presence of Western vendors whose numbers have fallen sharply after a series of mergers. In contrast, Huawei and other Chinese suppliers have invested heavily in research and development and are playing a more active role in setting standards.

“Europe’s total impact is in decline,” said Toon Norp, chairman of one of 3GPP’s working groups. “The influence of the Chinese vendors has grown enormously.”

Ericsson has a lot riding on 5G. The company, which ousted its chief executive, Hans Vestberg, last month, is straining to remain profitable amid weak demand for 4G networks.

Carriers world-wide have spent billions of dollars in recent years to deploy 4G, but most projects in mature markets have been completed, while many emerging markets lack financial resources to upgrade their networks.

“Ericsson and several of its industry peers are haunted by declining sales volumes,” saidMathias Lundberg, an analyst at Swedbank. “A new generation of wireless technology would set about a much needed investment cycle at the operators.”

In July, Ericsson posted a second-quarter net profit of 1.59 billion Swedish kronor ($187.8 million), a 24% drop from a year earlier. Revenue fell 11% to 54.1 billion kronor. The company collected 2.2 billion Swedish kronor in intellectual property rights in the period, about 4% of total revenue.

During the standard-setting negotiations, each vendor seeks to include as much of its intellectual property into product specifications to maximize fees from other players when the technology comes in use, said Bengt Nordström at Stockholm-based telecom consulting firm Northstream.

Telecoms carriers involved in testing experiments usually weigh in. Swisscom, a Swiss operator that has agreed to acquire Ericsson’s 5G equipment, said it would report the results of its tests to standard-setting bodies.

Ericsson said it was confident that bringing its 5G products in line with the technology’s final standards could be achieved through software updates.

While large 5G rollouts aren’t expected until early in the next decade, vendors and operators are expected to launch large-scale networks at some major sports events in the years to come, such as the 2018 Winter Olympics in South Korea.

Read More