Once More Into the Breach Response
Reasonable people can, and often do, disagree about what constitutes a proper public response to a data breach. Some people want immediate and full disclosure of all of the details of the event, while others tend to favor a more measured approach, releasing some information at the beginning and more data as things shake out.
But what doesn’t work is leaving users to fend for themselves after a breach without any information. Two separate breaches that have come to light in the last week have brought this point home once again. On August 25, Dropbox posted a short notice on its blog, telling users that the next time they logged in they would be forced to reset their passwords.
“If you signed up for Dropbox prior to mid-2012 and haven’t changed your password since, you’ll be prompted to update it the next time you sign in. We’re doing this purely as a preventive measure, and there is no indication that your account has been improperly accessed. We’re sorry for the inconvenience,” the notice says.
In the FAQ following the notice, the company says that the forced reset is the result of an attack on the company in 2012. At the time, the company said that only customer email addresses were taken, but now it seems that quite a few passwords were taken, too. As in, 68 million passwords. The files with those passwords have been posted online, and security researchers have analyzed them and verified the authenticity of their contents.
“Earlier this week, we detected signs of an attack where access was gained to the Opera sync system. This attack was quickly blocked. Our investigations are ongoing, but we believe some data, including some of our sync users’ passwords and account information, such as login names, may have been compromised,” the Opera notice says.
“Although we only store encrypted (for synchronized passwords) or hashed and salted (for authentication) passwords in this system, we have reset all the Opera sync account passwords as a precaution.”
These two incidents have a couple of things in common. First, both companies seem to be storing their users’ passwords in a secure manner, for the most part. Researcher Troy Hunt looked at the Dropbox files and found that while some of them were hashed with SHA-1, an old algorithm that’s considered insecure at this point, the other half of them were hashed with bcrypt, a much more secure algorithm. In Opera’s case, we only know that the company stores synced passwords in encrypted form and authentication passwords are hashed and salted. There’s no information on which algorithms Opera uses, but the use of encryption and hashing is better than storing passwords in the clear, which, believe it or not, is still a thing.
Second, both Dropbox and Opera have given users just the bare bones in terms of information on the breaches. The Dropbox incident goes back four years and security researchers at the time questioned the company’s claim that no passwords were taken. Cautious users likely changed their passwords at the time or in the intervening years, but many users don’t bother doing that without a specific reason, so it’s a decent bet that a good chunk of the 68 million passwords in that dump are still valid.
And the Opera incident remains a black box. The organization hasn’t released any further information about its server compromise, which is worrisome. The sync service is a high-value target, thanks to its function of storing users’ passwords for many different sites and services. The company has reset users’ sync passwords, but that doesn’t take into account all of the other passwords stored by the sync service. The authentication passwords were hashed, not encrypted, and tools such as Hashcat or L0phtCrack that can crack those passwords in a few hours. Leaving users in the dark about the specifics of breaches like these is detrimental not just to users’ security but to companies’ reputations, as well.