Category Archives: PASSWORDS

Dropbox hack leaks 68 million usernames and passwords

A hack way back from 2012 reportedly resulted in the breach of far more user information than previously believed.


dropbox-logo image

Wait, how many accounts were affected by a 2012 hack on Dropbox? About 68 million, according to multiple reports.

Back in 2012, Dropbox disclosed that a hacker had accessed its internal systems and accessed a list of user email accounts. It didn’t say the list included passwords.

Now Motherboard, security expert Troy Hunt, and online leak-tracker LeakedSource have each reported they reviewed stockpiles of account information from Dropbox. The account information includes emails as well as passwords, which are encrypted.

Dropbox head of trust Patrick Heim confirmed in a statement that the usernames and passwords were from mid-2012. The company said all customers who haven’t updated their passwords since that time period have been required to change their passwords.

Heim also reminded users that they should think about whether they reused their Dropbox passwords in other accounts.

“While Dropbox accounts are protected, affected users who may have reused their password on other sites should take steps to protect themselves on those sites,” Heim said in a statement.


Henry Sapiecha

Hacker claims to be selling millions of Twitter account details

The hacker has links to the MySpace, LinkedIn, & Tumblr “mega breaches.”

twitter-offices-signage image

A hacker, who has links to the recent MySpace, LinkedIn, and Tumblr data breaches, is claiming another major tech scalp — this time, it’s said to be millions of Twitter accounts.

A Russian seller, who goes by the name Tessa88, claimed in an encrypted chat on Tuesday to have obtained the database, which includes email addresses (and sometimes two per person), usernames, and plain-text passwords.

Tessa88 is selling the cache for 10 bitcoins, or about $5,820 at the time of writing.

The seller said they obtained 379 million accounts as early as 2015. That would be far more than its 310 million monthly active users, but could account for cumulative accounts, such as inactive users.

An analysis of the database by LeakedSource, a breach notification site which received the database from the seller on Wednesday, showed there are in fact over 32 million purported accounts in the database, after duplicates were removed.

LeakedSource said in a blog post that it was unlikely that Twitter was breached, and pointed to malware as the culprit.

“The explanation for this is that tens of millions of people have become infected by malware, and the malware sent every saved username and password from browsers like Chrome and Firefox back to the hackers from all websites including Twitter,” the blog post said.

The group said it was able to verify the passwords associated with 15 users. LeakedSource shared a portion of the database with me. Two colleagues whose email addresses were in the database were able to verify their password. A third colleague said they had not used the email address found in the database to join Twitter.

LeakedSource said that the passwords were likely “stolen directly from consumers, therefore they are in plaintext with no encryption or hashing.” The groups said it did not believe that Twitter stored data in plain-text at the time the data was taken, thought to be around 2014.

“These credentials however are real and valid,” said the group. “The lesson here? It’s not just companies that can be hacked, users need to be careful too.”

As we’ve seen in recent data breaches, the most common password was “123456,” with the third and fourth password being “qwerty” and “password” respectively.

A Twitter spokesperson said in prepared statement: “We are confident that these usernames and credentials were not obtained by a Twitter data breach — our systems have not been breached. In fact, we’ve been working to help keep accounts protected by checking our data against what’s been shared from recent other password leaks.”

In a recent tweet, the company also said that it periodically checks its data against recent password leaks to ensure that accounts stay secure.

Given the high-profile Twitter account takeovers in recent days — which included Facebook co-founder Mark Zuckerberg — it would be an easy assumption to make that Twitter had been hacked.

But Zuckerberg’s account was not in the database obtained by LeakedSource, the blog post said.

The hackers who took over Zuckerberg’s account said at the time they acquired his “dadada” password from the LinkedIn breach.

When asked, a LinkedIn spokesperson declined to comment, pointed to a recently-updated company blog post, but ruled out any new breach, and advised users to change any re-used passwords on other sites.


Henry Sapiecha

Ubuntu Forums hack exposes 2 million site users

An anonymous hacker grabbed usernames, email addresses, then salted and hashed passwords.

ubuntu-forum-form image

The company that builds Ubuntu, a popular Linux distribution, has said its forums were hacked Thursday.

Canonical, which develops the operating system, said in a statement on Friday that two million usernames, email addresses, and IP addresses associated with the Ubuntu Forums were taken by an unnamed attacker

The attacker was able to exploit an SQL injection vulnerability in an add-on used by older vBulletin forum software.

That gave the attacker access to the forum’s databases, but the company said that only limited user data was accessed and downloaded.

The statement stressed that no code or repository data was accessed, and the attacker couldn’t write data to the database or gain shell access. The attacker also didn’t gain access to any other Canonical or Ubuntu service.

Since the breach, the servers were wiped, rebuilt, and hardened, passwords were changed, and the forum software was fully patched.

The statement added that although the forums relied on Ubuntu’s single sign-on service, the passwords were hashed and salted, turning them into randomized strings of data. But the statement did not say which hashing algorithm was used — some algorithms, like MD5, are still in use but are deprecated, as they can be easily cracked.

A spokesperson for the company did not immediately respond to a question about the hashing algorithm.


Henry Sapiecha

US appeals court: Anti-hacking law applies to password sharing case

The 9th Circuit Court of Appeals ruling expands the scope of the already-broad Computer Fraud and Abuse Act.


A US appeals court on Tuesday ruled that the Computer Fraud and Abuse Act, a broad anti-hacking law passed in 2005, applies to a case in which a former executive gained access to his former employer’s confidential client data through a password that was voluntarily shared with him.

In a two-to-one ruling, a three-judge panel on the 9th Circuit Court of Appeals upheld the conviction of David Nosal, who used the information from his former employer — Korn/Ferry International — to start a new firm. He gained access to the data after his former secretary shared her password with him.

The ruling expands the already-sweeping scope of the CFAA, which imposes criminal penalties on anyone who “knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and bymeans of such conduct furthers the intended fraud and obtains anything of value.”

The Nosal case focused specifically on the question of whether he acted “without authorization”. The panel concluded that “‘without authorization’ is an unambiguous, non-technical term that, given its plain and ordinary meaning, means accessing a protected computer without permission”.

The court panel also upheld Nosal’s conviction for trade secret theft under the Economic Espionage Act.

In his dissent, the court summary of the ruling notes, Judge Stephen Reinhardt “wrote that this case is about password sharing, and that in his view, the CFAA does not make the millions of people who engage in this ubiquitous, useful, and generally harmless conduct into unwitting federal criminals”.

The practice of sharing passwords isn’t uncommon, according to a SailPoint survey released earlier this year. It polled 1,000 office workers across six nations and found nearly one in three are willing to share passwords with their co-workers.

The CFAA — opposed by the Electronic Frontier Foundation for its scope — was also used to convict former Reuters editor Matthew Keys of helping Anonymous to deface the LA Times in 2010. Keys, who denied the charges against him, was sentenced to two years in prison.

UPDATE: This article was corrected to note that Keys was sentenced to two years in prison; he is not serving two years in prison.


Henry Sapiecha


A day in the life of a cyber security expert

In part two of our three-part Stay Smart Online blog series, we meet Alexis Coupe, a cybersecurity analyst at nbn. Alexis talks to us about the importance of cyber security and shares his top security tip.

This week is Stay Smart Online Week, a government initiative to raise awareness amongst Australians about how they can help protect themselves and their businesses online.

To mark this, we are publishing a three-part blog series about cyber security.

In this post, we meet Alexis Coupe, a cybersecurity analyst at nbn, who talks to us about the importance of cyber security and shares his top security tip.

So Alexis, you’re an nbn Cyber Analyst, what does that actually mean?

A Cyber Security Analyst, to some extent, is like the cyber police.

alexiscoupe-1043-cyber-security-expert image

They help prevent cyber-attacks, primarily through their expertise in identifying a security event as an intrusion attempt or just common network traffic.

It’s the role of a cyber-analyst to understand the links between security and business threats (such as networks, databases, firewalls, web applications, etc) and offer proactive and dynamic solutions to identify threats and incidents.
Through constant monitoring and analysis of the network, we seek to detect the theft of sensitive information, spreading of malware, phishing campaigns, and the occasional network intrusion.

That being said, it’s not like CSI (Crime Scene Investigation): it’s 80 per cent cyber analysis and 20 per cent excitement!

What does a typical day look like for you?

Each day is different and that’s the amazing part of my work.

In theory, we typically cut a day into different sections:

I spend about 10 per cent of my time following the international security news and social networks in order to identify new threats as current phishing campaigns, or zero days which might be exploited on the internet.

dumb-password_600-change-it image sign


It is critical that our security systems are updated to help protect against hackers, and we have access to the latest security toolkits. This is to make sure we know what the bad guys are doing and occasionally, use the tools in our lab to see how they work.

Fifty per cent of my time is spent dealing with current detections and incidents.

We interpret a security event and identify it as either a real attack or normal traffic. Approximately 40 per cent of my time is spent on the detection of new threats and R&D, which I enjoy the most about my job!

We do a lot of internal development and it gives me the opportunity to help build the security operations centre.

If you could give everyone reading this article one cyber security tip, what would it be?

Get a good practice for password management! Passwords with at least eight characters containing a mix of lower-case, upper-case characters, numbers, and punctuation marks are ideal.

Most people register on numerous websites with the same credentials and – believe it or not – even share their passwords with others – a security no-no.

Usually, the same password or a derivative of it is used for online banking access, email address, or other sensitive data.

With multiple websites requiring sign-ons, similar or same passwords, it can make it pretty easy for a malicious person to steal data, sensitive information and even money.

Using different passwords for different websites ensures that even if a website is hacked and your credentials are disclosed on the Internet, there will be no impact to your other accounts.

What’s the coolest part of your job?

The coolest part of my job is certainly the detection of new threats!. To be able to do that effectively, we often need to think as an attacker and get creative.

When hackers decide to steal confidential documents, they try to make sure that they are not  detected by the security team so they can come back in the future.

We try and get ahead in the game by simulating those activities and then trying to detect it ourselves.

We have the chance to play two different roles in one job (attack and defense) which allow the cyber security analysts to enhance their skills.

New security toolkits and techniques are released into market every day. It’s a great job where the term “boring” doesn’t exist!

What’s your cyber security tip for businesses?

A good practice is to understand the threat relative to the business, have the ability to detect a theft or a breach when it happens, and establish an immediate response plan when an incident occurs to minimise the potential loss.

Once an organisation understands this challenge about security, it will be able to invest time and money on an adequate detection and response.

What’s your favourite piece of technology and why?

It’s difficult to answer this question as I’m very addicted to technology! I could say laptop, Raspberry pi, mobile phone, DSLR, Chromecast, but I’ll simply say: The internet!

I couldn’t live without Internet, just like many others. With this technology, we’re able to do anything from connecting with people, researching references in the biggest library in the world, booking a restaurant or a holiday.

It also gave me my job and my hobbies!


Henry Sapiecha


Apple asks widow to get court order to access her iPad, locked after her husband’s death

ipad image

Your iPad and all your apps could be inaccessible if you don’t know the password. Photo: Bloomberg

After Peggy Bush’s husband, David, succumbed to lung cancer in August, she liked to play card games on their iPad to pass the time. The 72-year-old resident of British Columbia was on an app one day when it suddenly stopped working and she was unable to reload the device without providing a password for their Apple ID account.

Bush’s husband never told her the password, and she hadn’t thought to ask. Unlike so many of the things David had left for Bush in his will — car ownership, the title of the house, basically everything he owned — this digital asset followed him to the grave.

According to reporting by the Canadian Broadcasting Corp., the journey to procure the password proved more difficult than any other process involved in David’s passing.

“I thought it was ridiculous,” Bush told CBC. “I could get the pensions, I could get benefits, I could get all kinds of things from the federal government and the other government. But from Apple, I couldn’t even get a silly password.”

At first, they thought the solution would be simple. Bush’s daughter, Donna, called Apple to ask about having the password retrieved and the account reset. The company then requested David’s will and death certificate.

When they got these documents together and called a second time, Apple said they had never heard of the case. Donna told CBC that it took several phone calls and two months of waiting for Apple to accept a notarised death certificate, her father’s will and the serial numbers for the iPad and Mac computer to which Bush also wanted access.

But this was not enough. Over the phone, a representative told Donna the next step: “You need a court order.”

“I was just completely flummoxed,” Donna told CBC. “What do you mean a court order?”

Obtaining one could cost thousands of dollars, depending on the need for a lawyer, so Donna decided to take her complaint straight to the top.

“I then wrote a letter to Tim Cook, the head of Apple, saying this is ridiculous,” she said. “All I want to do is download a card game for my mother on the iPad. I don’t want to have to go to court to do that, and I finally got a call from customer relations who confirmed, yes, that is their policy.”

While Bush had the option of setting up a new Apple ID account, that would have meant losing all the app purchases that she and her husband had made on the original one.

Bush ended up buying a new laptop (not a Mac). Her mission to gain access to her husband’s Apple ID seemed futile until CBC’s “Go Public” wing contacted the company on Bush’s behalf.

Apple apologised for the “misunderstanding” and has since started working with Bush to solve the issue without a court order, CBC reported this week.

For the Bushes, the overdue response feels like putting a Band-Aid on a larger problem.

“We certainly don’t want other people to have to go through the hassle that we’ve gone through,” Donna told CBC. “We’d really like Apple to develop a policy that is far more understanding of what people go through, especially at this very difficult time in our family’s life, having just lost my dad.”

Toronto estate lawyer Daniel Nelson told CBC that online access is controlled by service providers such as Apple, even if users own their digital material. He described the court order demand as “heavy-handed” but also said Canadian digital property laws are “murky.”

The question of whether digital assets should be treated the same as material possessions where inheritance is concerned has emerged naturally with the growing ubiquity of social media usage, but few concrete answers have been offered by lawmakers and legal authorities. Most nations and states place digital and physical property in different categories, and tech companies themselves prohibit password-sharing. This means that often a person’s virtual trail continues to float in cyberspace following their death, adding to the grief felt by surviving family.

The Washington Post


Henry Sapiecha

Three basic IT security tips for small businesses

Millions of small businesses are vulnerable to cybersecurity attacks that can cost an average of $20,000 per attack. Here is some basic wisdom to help SMBs protect themselves.

databreach codes image screen

When massive organizations like Sony, Home Depot, and the Office of Personnel Management are hacked they grab equally massive headlines. Yet, while they rarely grab headlines, small and middle-market companies are particularly susceptible to hacks, said Chris Crellin, Senior Director of Product Management at Intronis, a data protection firm, because many SMBs can’t afford to employ a security team, or are uninformed of the risks posed by attackers.

“A lot of companies rely on the idea of ‘security through obscurity,'” said Crellin. “They’re focused on running their business and probably don’t spend a lot of time thinking about hackers.”

These attackers probably aren’t interested in any one particular small business, said Crellin, but they tend to rely on a shotgun strategy. “Small and middle-market businesses are targets because there are so many of them. It’s like a thief in a parking lot looking for one unlocked car.” If your organization is unlocked, he said, you’re a likely target.

Common methods of hacking—phishing, brute-force password attacks, keylogging spyware, and social engineering—can cost small and medium businesses thousands of dollars. According to the National Small Business Association 2014 year end report, both the frequency and cost of small and middle-market business hacks are on the rise. In 2013 the cost of an average cyber-attack for a small business was just over $8,000 per attack. In 2014, that number jumped to over $20,000.

When integrating your service with other web tools, Gary Chou, founder of New York-based incubator OrbitalNYC, strongly recommends using tested and widely-used services. For example, if your company needs to process payments, “don’t try to host solutions yourself,” he advised. “Keeping [services] patched and secure is a full-time job, which can be hard to do as a small business. Use a service like Stripe for payments so that you don’t need to store customers credit card numbers.”

Chou had three other basic security tips for small business owners:

1. Don’t assume anything is secure. “If you have something hackers want (e.g. passwords, bank account numbers),” Chou said, “they will find a way to get it. Be selective about the information you choose to store in a database, whether it’s sensitive financial information or confidential data around customers.”

2. Change company and personal passwords regularly. Use a password that is long and difficult to guess. Strong passwords can equate to stronger security. Password managers like 1Password and Dashlane store and manage the keys to websites you visit frequently. A few bucks for an app, said Chou, can save thousands over time.

3. Use Open Source solutions whenever possible. “If you’re building a technology product, the value—and security—of open source projects is critical. [Open source projects] are most likely to find and quickly patch any discovered security flaws,” said Chou. “You can build faster and stay secure on reliable open source code.”

For many small and middle-market businesses the true cost of good security is time. But technology experts like Chou say good security doesn’t have to be expensive, and security best practices can be implemented for free or at low-cost. “Don’t try to simultaneously be a technology company alongside your core business,” he said.

Chris Crellin agrees: “Good security can be expensive, but locking your ‘car’ is free and can save your company a lot of money in the long run.” (8)

Henry Sapiecha

It’s imperative that you have good passwords

The word 'password' is pictured on a computer screen in this picture illustration taken in Berlin

Before the Stories: The threat from criminals online continues to grow. It’s not just “hackers” but actual criminal activity, backed by organized crime, and perhaps even some governments. They want your passwords to bank accounts, and they use some pretty tricky and often sophisticated means to get them, either from you, or from sites they break into.

Thus it’s imperative that you have good passwords. What makes a password good? Long and complex, and unique. Long and complex makes it harder to crack; unique means that if a password is compromised, it can’t be used to get into other accounts too. (How many of you have the same login and password at more than one financial site?!) The problem is, such passwords are very hard to remember, and type. But software comes to the rescue: there is software that “remembers” all of your passwords so you don’t have to, and enters them when necessary — after checking to ensure that you’re really at your bank’s site, not one that just looks like your bank’s site with a quick glance. Then, you only have to remember one password: the one to unlock the software that holds your passwords for you. The good news is, such programs are pretty easy to use: 80-year-olds who can use banking sites can certainly use this software easily; no mad tech skillz required.

But are they safe? Yes: your passwords are encrypted using the password you choose. Even if you use a service that holds copies, they’re well secured. If you want more assurance than that, consider that Wired magazine notes that 73 percent of computer security professionals use password vault software, while only 24 percent of “non-experts” do. Frankly, I’m surprised it’s that high. I use LastPass, which is free for most uses (no excuses!) If you want to have secure access to your passwords on your smartphone too, they ask for a mere $12/year for that. But again, on your computer, it’s completely free. A small price to pay for a wall around your bank accounts to protect you from organized crime. (8)

Henry Sapiecha