Recent data breaches underline the need for Internet users to regularly update the passwords for all their Internet accounts.
On Wednesday, Spotify reset the passwords of an unspecified number of users, just a day after data on 68 million accounts from Dropbox began reaching the Internet.
In a notice to users, Spotify said their credentials may have been compromised in a leak involving another service, if they used the same password for both.
“Spotify has not experienced a security breach and our user records are secure,” the company said in an email. The password reset is merely a precaution, it said.
There’s plenty of reason for Spotify to be cautious. Stolen Dropbox data, including user email addresses and hashed passwords probably taken from 2012, has begun circulating on the Internet.
Three sites that compile stolen accounts from data breaches were supplied copies of the stolen information and said it affects 68 million Dropbox users.
In addition, browser provider Opera said last week that its users’ data may have been compromised in a separate hack. That breach targeted Opera’s sync system, which stores passwords for sites that users visit, and 1.7 million users may have be affected.
Both Dropbox and Opera have already issued password resets. However, the affected passwords may also have been used for other Internet accounts. That could still give hackers a launching pad to attack users.
Fortunately, the stolen passwords from Dropbox and Opera were hashed, meaning they have to be cracked in order to be read.
That doesn’t mean hackers won't try. LeakBase, a repository for data breaches, obtained a copy of the Dropbox database and is trying to crack the passwords, which were secured using a hashing function called bcrypt.
“We are working on those, however it is taking a while,” LeakBase said in a message on Twitter.
Hackers may have tried to do the same. Dropbox says the data was probably stolen four years ago and the theft is only now becoming widely known.only now is becoming widely known.
However, bcrypt hashes are “exceptionally” difficult to crack due to the time and effort needed, said Troy Hunt, the creator of Have I been pwned?, another website that tracks data breaches. Only poorly chosen passwords that can be easily guessed are at risk, he said.
Even without the passwords, the stolen email addresses can be quite useful for hackers to attack other affiliated Internet accounts, said Adam Levin, chairman of security firm IDT911.
“All of this information becomes tiny breadcrumbs that hackers can use to guess passwords and answer security questions,” he said in an email.