I've also just sent 144,136 emails to subscribers of the free notification service and a further 8,476 emails to those using the free domain monitoring service. There are now 68,648,009 Dropbox accounts searchable in HIBP.
#Gmail hack hashcat verification
Definitely still change your password if you're in any doubt whatsoever and make sure you enable Dropbox's two-step verification while you're there if it's not on already. Not only was the password itself solid, but the bcrypt hashing algorithm protecting it is very resilient to cracking and frankly, all but the worst possible password choices are going to remain secure even with the breach now out in the public. They communicated to all impacted parties via email, my wife did indeed get forced to set a new password on logon and frankly even if she hadn't, that password was never going to be cracked. It confirms the statement from Dropbox themselves, but this is the kind of thing I always like to be sure of.Īs for Dropbox, they seem to have handled this really well.
There is no doubt whatsoever that the data breach contains legitimate Dropbox passwords, you simply can't fabricate this sort of thing. Now this isn't "cracking" in the traditional sense because I'm not trying to guess what her password was, rather it's a confirmation that her record in Dropbox is the hash of her very strong, very unique never-used-anywhere-else password. Even with a slow hashing algorithm like bcrypt, the result came back almost immediately:Īnd there you have it - the highlighted text is the password used to create the bcrypt hash to the left of it. With that, it was off to hashcat armed with a single bcrypt hash and the world's smallest password dictionary containing just the one, strong password. Knowing what her original password was and having what as this stage was an alleged hash of it, if I could hash her strong password using the same approach and it matched then I could be confident the breach was legit.
#Gmail hack hashcat crack
It's just as well because it would be a far more trivial exercise to crack the older algorithm but without the salts, it's near impossible.Īt first glance the data looks legit and indeed the Motherboard article above quotes a Dropbox employee as confirming it. Only half the accounts get the "good" algorithm but here's the rub: the bcrypt accounts include the salt whilst the SHA1 accounts don't. It's a relatively even distribution of the two which appears to represent a transition from the weaker SHA variant to bcrypt's adaptive workload approach at some point in time. What we've got here is two files with email address and bcrypt hashes then another two with email addresses and SHA1 hashes. Very shortly after, a supporter of Have I been pwned (HIBP) sent over the data which once unzipped, looked like this:
Not just a little bit hacked and not in that "someone has cobbled together a list of credentials that work on Dropbox" hacked either, but proper hacked to the tune of 68 million records. Earlier today, Motherboard reported on what had been rumoured for some time, namely that Dropbox had been hacked.