The Hacker News — Cyber Security, Hacking, Technology News

Over a month ago, The Hacker News reported about the Dropbox Hack, where hackers had managed to steal more than 68 Million Dropbox accounts in a data breach that was initially disclosed by the online cloud storage platform in 2012.

Although the initial announcement failed to reveal the true scale of the data breach, it was in late August when the breach notification service LeakBase obtained files containing details on over 68 million accounts, which contains email addresses and hashed passwords for Dropbox users.

Last month, a hacker was selling this Dropbox data dump on a Dark Web marketplace known as TheRealDeal for around $1200.

However, Motherboard recently discovered that a researcher has just uploaded the full dump of hacked Dropbox database online.

Download DropBox Data Dump Here:

Thomas White, known online as The Cthulhu, uploaded Monday the full Dropbox data dump onto his website in a move, as he claims, to help security researchers examine the data breach.

So, anyone can now download the leaked database of 68,680,741 Dropbox accounts, containing email addresses and hashed passwords, totally for FREE.

"The ... dump was allegedly taken from Dropbox sometime in 2012 following a breach," White writes on his website. "I have assisted [in keeping] this breach public for those who are struggling to find a reliable source for research."

White is the same person who previously dumped accounts from massive data breaches in large enterprises, including extramarital affairs site Ashley Madison, social networking site Myspace, and more.

The good news is that out of 68 Million, around 32 Million passwords are secured using strong hashing function BCrypt, which makes it difficult for hackers to obtain many of users' actual passwords.

The rest of the account passwords are hashed with the SHA-1 hashing algorithm and also believed to have used a Salt – a random string added to the hashing process to further strengthen passwords to make it harder for hackers to crack them.

Moreover, the company previously ensured its affected customers that there is no evidence of any malicious access of their accounts, saying "Based on our threat monitoring and the way we secure passwords, we do not believe that any accounts have been improperly accessed."

Dropbox is one of many "Mega-Breaches" revealed this summer, when hundreds of millions of account credentials from years-old data breaches on famous social network sites, including LinkedIn, MySpace, VK.com and Tumblr, were exposed online.

The best way to protect yourself is to change your passwords for Dropbox and other online accounts, especially if you are using the same password for multiple websites, as well as use a good password manager to create and manage complex passwords for different sites.

However, DropBox has already emailed all affected users and completed a password reset process for anyone who had not updated their password since mid-2012, ensuring that hackers can not access your Dropbox accounts even if they crack leaked passwords.

Two Google engineers have developed a draft version of an API called WebUSB that would allow you to connect your USB devices to the Web safely and securely, bypassing the need for native drivers.

WebUSB – developed by Reilly Grant and Ken Rockot – has been introduced to the World Wide Web Consortium's Web Incubator Community Group (W3C WICG), is build to offer a universal platform that could be adopted by browser makers in future versions of their software.

Connecting USB Devices to the Web

WebUSB API allows USB-connected devices, from keyboards, mice, 3D printers and hard drives to complex Internet of Things (IoTs) appliances, to be addressed by Web pages.

The aim is to help hardware manufacturers have their USB devices work on any platform, including Web, without having any need to write native drivers or SDKs for a dedicated platform.

Besides controlling the hardware, a Web page could also install firmware updates as well as perform other essential tasks.

However, the draft API (Application Program Interface) is not meant to be used for transferring files to or from flash drives.

"With this API hardware manufacturers will have the ability to build cross-platform JavaScript SDKs for their devices," Google engineers wrote in the draft project description.

"This will be good for the Web because, instead of waiting for a new kind of device to be popular enough for browsers to provide a specific API, new and innovative hardware can be built for the Web from day one."

Privacy and Security Concerns

The Google engineers also outlined security concerns.

• WebUSB will include origin protections, like a type of the Cross-Origin Resource Sharing (CORS), to restrict the Web pages from requesting data from other domains except the one from where they originate.

This means a Web page could not be able to exploit your USB device to access your PC, or your important files or any files that your computer or the USB device itself may hold.

• To address the issue of USB devices leaking data, WebUSB will always prompt the user to authorize a website or web page in order to detect the presence of a device and connect to it.

For now, the WebUSB is only a draft of a potential specification, which hasn't been officially adopted by W3C. WebUSB remains a work in progress at the current, though you can check out the full WebUSB codebase on GitHub.