top | item 40233987

(no title)

"Upon further investigation, we discovered that a threat actor had accessed data including Dropbox Sign customer information such as emails, usernames, phone numbers and hashed passwords, in addition to general account settings and certain authentication information such as API keys, OAuth tokens, and multi-factor authentication."

hashed passwords, API keys, OAuth tokens, MFA...

Oh no.

discuss

tyrelb|1 year ago

I use Dropbox Sign API, so a little fearful our private data was accessed. API keys were leaked as part of this hack. It's unclear from press release if hackers used the API keys to access data/documents of customers.

April 24th they became aware of issue, reporting it over a week later. I'd also be curious on how long this problem went on before being detected on April 24?

I suppose more will come out in the coming days..

meindnoch|1 year ago

Hashed passwords? Surely they mean hashed and salted passwords. Right? Right???

rvnx|1 year ago

They were using SHA1, then they migrated.

68 million accounts dumped: https://www.theguardian.com/technology/2016/aug/31/dropbox-h...

https://www.troyhunt.com/the-dropbox-hack-is-real/

now they first hash the password using SHA512 (with a per-account salt)

then they hash the password with bcrypt (with the default strength)

then they encrypt the password with a key that the application server runs with, but that is not stored in the database.

So yes, hashed and salted.