On Monday an anonymous hacker claimed to be in possession of 7 million passwords to Dropbox accounts. While that claim was probably false, it demonstrates the increasingly common way that hackers are using to gain access to your passwords.
The hacker posted around 400 usernames and passwords on anonymous note site Pastebin in a series of “teasers” for the main list. Some Reddit users were able to successfully log into Dropbox using the information posted before the company deactivated all of the leaked passwords.
But Dropbox was quick to cast doubt on the claims, denying that it had been hacked and claiming that many of the usernames and passwords were not even related to Dropbox accounts.
So where do the passwords come from? After all, they worked, for a time.
The most likely source of the information is a third-party site that had poor security. Hackers know that most internet users re-use their passwords, so they often target smaller apps made by amateur developers. These easy targets have poor security — so usernames, passwords or files may be stored in a way that’s easy for hackers to steal them.
The recent Snapchat hack, which saw nearly 100,000 private photos and videos posted online, happened because an amateur developer hadn’t securely set up his website. In a post on the Snapsaved Facebook page, the site’s anonymous founder explains that a mis-configured Apache server left the files vulnerable to hackers.
Hackers don’t need to try and target the tech giants anymore. Why bother trying to hack into Google, Apple or Facebook’s servers when you can simply take advantage of a poorly built website to get the same information?
We’re now seeing hackers use a new approach. Instead of spending months finding vulnerabilities in large sites, they re-use login information stolen from amateur third-party apps. Chances are that the information works for several sites, so compiling these caches of data together can quickly create a list of millions of passwords.
In September, Russian hackers published a list of 5 million passwords to a variety of different email providers, including Gmail. It wasn’t a new leak, but a collection of older password leaks compiled together to seem new. Sure, many of the email accounts had closed, but the information could still be downloaded and used by hackers to break into other accounts.
So why are hackers re-using old information? There’s rarely evidence that they actually use the passwords to log into sites. Instead, it seems like they just post the information online. Or at least, they post some of the information online. As we mentioned before, hackers leak partial collection of passwords as “teasers.” This is often accompanied by a request for Bitcoin donations.
We can use the public nature of Bitcoin addresses to see just how much hackers gain for posting passwords online. It’s often less than they expect to receive. The hacker who shared the collection of Dropbox passwords received just 8 cents. Similarly, OriginalGuy, the anonymous forum poster behind the first wave of hacked iCloud celebrity photos, expressed dismay at the small trickle of donations that came his way, remarking:
Sure, I got $120 with my Bitcoin address, but when you consider how much time was spent acquiring this stuff (I’m not the hacker, just a collector), and the money (I paid a lot via Bitcoin as well to get certain sets when this stuff was being privately traded on Friday/Saturday) I really didn’t get close to what I was hoping for.
We’re seeing more and more passwords leak online. Amateur developers aren’t stepping up password security, and existing leaks continue to resurface. While the information made public is often several years out of date (many of the emails posted along with the Dropbox passwords were deactivated in 2012), it’s still valuable to hackers compiling large lists of email addresses and passwords to be used in attacks against other sites.
And, just in case it isn’t clear, this is your fault, too: If you’re using the same passwords over and over with different apps then hackers don’t need to get into Apple or Facebook’s servers to find them. They simply identify the smaller apps with the weakest password security.