Rumors about Dropbox Breach

Hello everybody!

LifeLock and other identity theft protection firms accidentally alerted their customers about a breach at However, DropBox wasn’t the site breached, it was the social network site Tumblr.

It was revealed recently that over half billion usernames and passwords were stolen from Tumblr, MySpace and LinkedIn. These credentials from the social media sites were stolen years ago but the full extent of the breach was made clear recently.

The false positive alerts sent by LifeLock has been received by a third party threat intelligence service, but the name of the third party was not mentioned.

LifeLock said in a written statement provided to KrebsOnSecurity “We can confirm that we recently notified a small segment of LifeLock members that a version of their credentials were detected on the internet… When we are notified about this type of information from a partner, it is usually a “list” that is being given away, traded or sold on the dark web. The safety and security of our members’ data is our highest priority. We are continuing to monitor for any activity within our source network. At this time, we recommend that these LifeLock members change their Dropbox password(s) as a precautionary measure.”

Patrick Heim, head of trust and security at Dropbox said there was no evidence of a breach but they are conducting further investigations and would update its customers.

The bogus attribution of the Tumblr breach to Dropbox came from an identity monitoring firm called CSID, that is in the midst of being acquired by credit bureau giant Experian.

Bryan Hjelm, vice president of product and marketing for CSID said, “Our mandate is to alert our client subscribers when we find their information on the darkweb. Regardless of the source, this is compromised data that belongs to them.”

Having said that, Hjelm acknowledged that CSID was “experiencing some reputational concerns” from Dropbox and others but this was the first time this kind of snafu has occurred for CSID.

One such actor — a sort of cyber gadfly best known by his hacker alias “w0rm” — had proven correct in previous posts on Twitter about new data breaches, Hjelm added. In this incident Worm has posted a download link to a file with 100M records stolen from Dropbox but the download link had only 73 million credentials.

CSID analysts haven’t been able to quite determine whether it actually was Dropbox’s data but sent out the notifications anyway. The analysts never try to log in using those credentials to see if they’re valid but take steps to crack some of the hashed passwords to see whether a majority of them point to a certain online merchant or social network

For instance, in the LinkedIn breach of over 100 million stolen usernames and passwords, investigators found that a number of passwords had some form of the word “linkedin” in it.

Most websites do not allow multiple accounts linked to the same email address.  Therefore, validity of the claims can be checked by attempting to sign up for an account with the leaked emails. If a large number of email addresses in the claimed leak list do not already have accounts associated with them at the allegedly breached Web site, the claim is almost certainly bogus.

Hjelm said CSID doesn’t currently use this rather manual technique, but that the company is open to suggestions.

Flashpoint, a firm that conducts security research at dark web monitoring found that the file w0rm leaked maps back to a 2013 recycled breach at Tumblr.

Allison Nixon, a cybercrime researcher and director of Flashpoint, said “In general, the skill of human skepticism performed today by threat intelligence experts is extremely difficult to automate… Even with advancements in cognitive and artificial intelligence technologies, humans will still and always be needed to validate the nuances associated with accurate intelligence. Security experts must be intimately involved in the fact checking process of threat intelligence, or otherwise, will run the risk of losing valuable time, resources and possibly even more, by validating false information perceived as accurate by automated technologies.”

The intended victim of guys like w0rm is probably other cybercriminals, but threat intel companies can get caught up in this as well.

Dropbox is using this opportunity to ask users to strengthen their security. Dropbox’s Patrick Heim said, “In matters of security, we always suggest users take an abundance of caution and reset their passwords if they receive any notification of a potential compromise…Dropbox strongly encourages individuals use strong and unique passwords for each service.  We also encourage Dropbox users to enable two-factor authentication to further protect their account.”

It goes without saying that re-using passwords across multiple sites that may hold personal information about you is an extremely bad idea

Source: Akati

Comments are closed.