[chenxi9649]

"Upon further investigation, we discovered that a threat actor had accessed data including Dropbox Sign customer information such as emails, usernames, phone numbers and hashed passwords, in addition to general account settings and certain authentication information such as API keys, OAuth tokens, and multi-factor authentication."

hashed passwords, API keys, OAuth tokens, MFA...

Oh no.

[tyrelb]

I use Dropbox Sign API, so a little fearful our private data was accessed. API keys were leaked as part of this hack. It's unclear from press release if hackers used the API keys to access data/documents of customers.

April 24th they became aware of issue, reporting it over a week later. I'd also be curious on how long this problem went on before being detected on April 24?

I suppose more will come out in the coming days..

[meindnoch]

Hashed passwords? Surely they mean hashed and salted passwords. Right? Right???

[rvnx]

They were using SHA1, then they migrated.

68 million accounts dumped: https://www.theguardian.com/technology/2016/aug/31/dropbox-h...

https://www.troyhunt.com/the-dropbox-hack-is-real/

now they first hash the password using SHA512 (with a per-account salt)

then they hash the password with bcrypt (with the default strength)

then they encrypt the password with a key that the application server runs with, but that is not stored in the database.

So yes, hashed and salted.

[dkyc]

This hack seems to affect the Dropbox Sign application, which is based on HelloSign which they acquired a few years ago. It’s still running on the hellosign.com domain and seems mostly separate, so it wouldn’t surprise me if they also store passwords differently.

[xrisk]

That… seems excessive. Is it just security theater or actually useful somehow?

[zsims]

Useful because you can support existing passwords without requiring everyone to login or reset their password. Still has flaws though, like password shucking.

[SoftTalker]

They encrypt the salted password hash?