کعنان
محفلین
ڈراپ باکس کے 68 ملین صارفین کا ڈیٹا چوری کر لیا گیا
ہفتہ 3 ستمبر 2016
ڈراپ باکس نے اعتراف کیا ہے کہ اس کے 68 ملین صارفین کے پاس ورڈ چوری کرلیے گئے جو اب انٹرنیٹ پر عام دستیاب ہیں۔
واشنگٹن: آن لائن ڈیٹا اسٹوریج کمپنی ڈراپ باکس نے اعتراف کیا ہے کہ اس کے 6 کروڑ 80 لاکھ صارفین کے ای میل ایڈریسز اور پاس ورڈ چوری کر لیے گئے ہیں جو اس وقت انٹرنیٹ پر کھلے عام رکھ دیئے گئے ہیں۔
ڈراپ باکس کے مطابق یہ ای میل ایڈریسز اور پاس ورڈز غالباً 2012ء میں چرائے گئے تھے لیکن انہیں 2 ہفتے پہلے ہی انٹرنیٹ پر عام کیا گیا ہے۔ کمپنی کو اب تک یہ بھی معلوم نہیں کہ ان چوری شدہ پاس ورڈز/ ای میل ایڈریسز کے ذریعے کوئی غیرقانونی طور پر اس کے نیٹ ورک میں داخل ہوا بھی ہے یا نہیں۔
ہیکنگ کی اس واردات پر ڈراپ باکس نے معذرت کی ہے اور اپنے صارفین سے درخواست کی ہے کہ وہ اپنے پاس ورڈز جلد از جلد تبدیل کر لیں تاکہ کسی کو ان کے ڈراپ باکس اکاؤنٹ میں داخل ہونے اور ان کے حساس ڈیٹا تک پہنچنے کا موقع نہ مل سکے۔
آن لائن ڈیٹا اسٹوریج جسے ’’کلاؤڈ‘‘ بھی کہا جاتا ہے، صارفین کو انٹرنیٹ پر اپنا ڈیٹا محفوظ رکھنے اور ضرورت پڑنے پر دوسروں کے ساتھ شیئر کرنے سہولیات وغیرہ پر مشتمل ہے۔ اس نوعیت کی خدمات گوگل اور مائیکروسافٹ سمیت دوسری کئی کمپنیاں فراہم کررہی ہیں مگر اس میدان میں ڈراپ باکس ایک پرانا اور قابلِ اعتماد نام ہے۔
ڈراپ باکس کے ذریعے ایسی بڑی ڈیجیٹل فائلز بھی انٹرنیٹ کے ذریعے بھیجی جا سکتی ہیں جو عام طور پر ای میل کے ساتھ اٹیچمنٹ کے طور پر منسلک نہیں کی جا سکتیں۔ ڈراپ باکس کی کچھ خدمات مفت ہیں لیکن ماہانہ، سہ ماہی، ششماہی اور سالانہ فیس دے کر بنائے جانے والے ’’پریمیم اکاؤنٹ‘‘ میں آن لائن ڈیٹا اسٹوریج اور شیئرنگ سمیت دوسری سہولیات بھی دستیاب ہیں۔
صارفین کے 6 کروڑ 80 لاکھ ای میل ایڈریسز اور پاس ورڈز چوری ہونے کا مطلب صرف مالی نقصان ہی نہیں بلکہ صارفین کے حساس ڈیٹا کے لیے بھی خطرے کی گھنٹی ہے۔ اسی خطرے کے پیشِ نظر بیشتر کمپنیاں اپنے صارفین پر پاس ورڈ تبدیل کرتے رہنے اور موبائل نمبر فراہم کرنے جیسے اقدامات پر زور دیتی رہتی ہیں تاکہ اگر کوئی ہیکر پرانے پاس ورڈ کو چُرا لے تب بھی فون نمبر کے ذریعے پاس ورڈ ری سیٹ کیا جا سکے۔
اس سارے معاملے کا واحد اطمینان بخش پہلو یہ ہے کہ چوری شدہ تمام پاس ورڈز 4 سال پرانے ہیں اور بہت ممکن ہے کہ اس دوران بیشتر صارفین نے اپنے پاس ورڈز تبدیل کر لیے ہوں گے۔
ح
Dropbox hack leads to leaking of 68m user passwords on the
Data stolen in 2012 breach, containing encrypted passwords and details of around two-thirds of cloud firm’s customers, has been leaked
The Dropbox data breach has highlighted the problem of password reuse. Photograph: Alamy
Samuel Gibbs
Wednesday 31 August 2016 11.43 BSTLast modified on Thursday 1 September 201610.36 BST
Save for later
Popular cloud storage firm Dropbox has been hacked, with over 68m users’ email addresses and passwords leaking on to the internet.
The attack took place during 2012. At the time Dropbox reported a collection of user’s email addresses had been stolen. It did not report that passwords had been stolen as well.
The dump of passwords came to light when the database was picked up by security notification service Leakbase, which sent it to Motherboard.
The independent security researcher and operator of the Have I been pwned? data leak database, Troy Hunt, verified the data discovering both his account details and that of his wife.
Hunt said: “There is no doubt whatsoever that the data breach contains legitimate Dropbox passwords, you simply can’t fabricate this sort of thing.”
Dropbox sent out notifications last week to all users who had not changed their passwords since 2012. The company had around 100m customers at the time, meaning the data dump represents over two-thirds of its user accounts. At the time Dropbox practiced good user data security practice, encrypting the passwords and appears to have been in the process of upgrading the encryption from the SHA1 standard to a more secure standard called bcrypt.
Half the passwords were still encrypted with SHA1 at the time of the theft.
“The bcrypt hashing algorithm protecting [the passwords] is very resilient to cracking and frankly, all but the worst possible password choices are going to remain secure even with the breach now out in the public,” said Hunt. “Definitely still change your password if you’re in any doubt whatsoever and make sure youenable Dropbox’s two-step verification while you’re there if it’s not on already.”
Advertisement
The original breach appears to be the result of the reuse of a password a Dropbox employee had previously used on LinkedIn, the professional social network that suffered a breach that revealed the password and allowed the hackers to enter Dropbox’s corporate network. From there they gained access to the user database with passwords that were encrypted and “salted” – the latter a practice of adding a random string of characters during encryption to make it even harder to decrypt.
Dropbox reset a number of users’ passwords at the time, but the company has not said precisely how many.
The hack highlights the need for tight security, both at the user end – the use of strong passwords, two-step authentication and no reuse of passwords – and for the companies storing user data. Even with solid encryption practices for securing users’ passwords, Dropbox fell foul of password reuse and entry into its company network.
Leading security experts recommend the use of a password manager to secure the scores of unique and complex passwords needed to properly secure the various login details needed for daily life. But recent attacks on companies includingbrowser maker Opera, which stores and syncs user passwords, and password manager OneLogin, have exposed the dangers of using the tool.
Picking the right password manager is just as crucial and using one in the first place.
A Dropbox spokesperson said: “There is no indication that Dropbox user accounts have been improperly accessed. Our analysis confirms that the credentials are user email addresses with hashed and salted passwords that were obtained prior to mid-2012. We can confirm that the scope of the password reset we completed last week did protect all impacted users.”
Data stolen in 2012 breach, containing encrypted passwords and details of around two-thirds of cloud firm’s customers, has been leaked
The Dropbox data breach has highlighted the problem of password reuse. Photograph: Alamy
Samuel Gibbs
Wednesday 31 August 2016 11.43 BSTLast modified on Thursday 1 September 201610.36 BST
Save for later
Popular cloud storage firm Dropbox has been hacked, with over 68m users’ email addresses and passwords leaking on to the internet.
The attack took place during 2012. At the time Dropbox reported a collection of user’s email addresses had been stolen. It did not report that passwords had been stolen as well.
The dump of passwords came to light when the database was picked up by security notification service Leakbase, which sent it to Motherboard.
The independent security researcher and operator of the Have I been pwned? data leak database, Troy Hunt, verified the data discovering both his account details and that of his wife.
Hunt said: “There is no doubt whatsoever that the data breach contains legitimate Dropbox passwords, you simply can’t fabricate this sort of thing.”
Dropbox sent out notifications last week to all users who had not changed their passwords since 2012. The company had around 100m customers at the time, meaning the data dump represents over two-thirds of its user accounts. At the time Dropbox practiced good user data security practice, encrypting the passwords and appears to have been in the process of upgrading the encryption from the SHA1 standard to a more secure standard called bcrypt.
Half the passwords were still encrypted with SHA1 at the time of the theft.
“The bcrypt hashing algorithm protecting [the passwords] is very resilient to cracking and frankly, all but the worst possible password choices are going to remain secure even with the breach now out in the public,” said Hunt. “Definitely still change your password if you’re in any doubt whatsoever and make sure youenable Dropbox’s two-step verification while you’re there if it’s not on already.”
Advertisement
The original breach appears to be the result of the reuse of a password a Dropbox employee had previously used on LinkedIn, the professional social network that suffered a breach that revealed the password and allowed the hackers to enter Dropbox’s corporate network. From there they gained access to the user database with passwords that were encrypted and “salted” – the latter a practice of adding a random string of characters during encryption to make it even harder to decrypt.
Dropbox reset a number of users’ passwords at the time, but the company has not said precisely how many.
The hack highlights the need for tight security, both at the user end – the use of strong passwords, two-step authentication and no reuse of passwords – and for the companies storing user data. Even with solid encryption practices for securing users’ passwords, Dropbox fell foul of password reuse and entry into its company network.
Leading security experts recommend the use of a password manager to secure the scores of unique and complex passwords needed to properly secure the various login details needed for daily life. But recent attacks on companies includingbrowser maker Opera, which stores and syncs user passwords, and password manager OneLogin, have exposed the dangers of using the tool.
Picking the right password manager is just as crucial and using one in the first place.
A Dropbox spokesperson said: “There is no indication that Dropbox user accounts have been improperly accessed. Our analysis confirms that the credentials are user email addresses with hashed and salted passwords that were obtained prior to mid-2012. We can confirm that the scope of the password reset we completed last week did protect all impacted users.”
Ref
