The severity stems from the unfortunate fact that a password leak retroactively, and silently, destroys your security across all sites that use the same or a similar password. Even if you started using the longest, randomised, two-factor-authenticated password system last year, all those forgotten or seemingly unimportant accounts are suddenly exposed.
Even when the exposed sites have minimal information or impact, minor information in aggregate adds up to a lot of danger for escalation and social engineering.
Now consider that there are huge swaths of people with the same password that they've use for email, banking, medicare, and everything else.
A proper response from Dropbox would be to explicitly and loudly inform every leaked email address (not just their current users) that they need to immediately change every password across any and all sites that might use the same leaked credentials.
Furthermore, Dropbox should set up a secure site with a unique link per email address that allows a user to key-in and check their memory against the exposed hash. I know that I have changed my password for Dropbox at least twice since 2012, but in 2012 I might have used an insecure password. Allowing me to figure it out before a nefarious party would allow me to better judge the potential personal impact.
That's true if your actual password is leaked, but as described in this post, it is very unlikely that actual passwords could be retrieved. Still a non-zero risk, but I could see a case that the severity of that risk is low.
The significantly greater issue imo is the leaking of email addresses and ensuing spam.
> That's true if your actual password is leaked, but as described in this post, it is very unlikely that actual passwords could be retrieved.
If I'm interpreting the hashcat screenshot correctly (I'm probably not, and even if I am it's probably skewed by init overhead or by not counting the final result) it looks like passwords can be attacked at ~6ms/dictionary attempt against the bcrypt passwords? While HIBP didn't get their hands on salts for the SHA1s, that doesn't mean they weren't breached as well.
I take it as a given that all high value dropbox accounts with a weak password in this breach will be pwnt.
Then again, it took until last week for anyone to try and grab my Minecraft account (successful email change, but successful resecure.) Given that HIBP knew about 1 of the 4 breaches I'm aware of for similarly weak passwords, I'm surprised it took this long... (I've since finally gotten off my ass and better secured all the legacy old terribly passworded accounts I can think of / were listed in my password database...)
I think the risk is a lot higher than described by this post or dropbox. There are nearly 70 million credentials, and email addresses actually contain a fair amount of heuristic information for an attacker. For example just filter down to addresses from hotmail or yahoo, and suddenly you have a list of credentials that are far more likely to be susceptible to a dictionary attack.
As far as what we know about these cryptosystems today, the passwords are no more accessible via this breach than they are when you send them over TLS. How is that severe at all?
Even when the exposed sites have minimal information or impact, minor information in aggregate adds up to a lot of danger for escalation and social engineering.
Now consider that there are huge swaths of people with the same password that they've use for email, banking, medicare, and everything else.
A proper response from Dropbox would be to explicitly and loudly inform every leaked email address (not just their current users) that they need to immediately change every password across any and all sites that might use the same leaked credentials.
Furthermore, Dropbox should set up a secure site with a unique link per email address that allows a user to key-in and check their memory against the exposed hash. I know that I have changed my password for Dropbox at least twice since 2012, but in 2012 I might have used an insecure password. Allowing me to figure it out before a nefarious party would allow me to better judge the potential personal impact.