Dropbox hack released details of more than 68M accounts, report says
Dropbox recently notified users of a potential forced password reset after its security team discovered a batch of account credentials believed to have been obtained from a known 2012 data breach. While the initial announcement failed to specify the exact number of impacted users, a report on Tuesday puts the number at well over 68 million.
In a set of files obtained through sources in the database trading community and Leakbase, Motherboard found evidence relating to 68,680,741 Dropbox accounts, including email addresses and hashed, or salted, passwords. An unnamed Dropbox employee verified the data's legitimacy.
It is unclear how many users have been impacted by the hack dating back to 2012, but today's report is the first to offer detail on the previously disclosed breach.
Last week Dropbox sent out emails alerting an unknown number of users that they might be prompted to change their password if they had not done so since mid-2012. The company said the measure was "purely preventative," apologized for the inconvenience and directed users looking for further details to a Help Center webpage. The FAQ runs through the password reset process and, about halfway down the page, reveals the impetus behind the new protocol.
Within Motherboard's cache of user data, almost 32 million of the passwords are secured using the "bcrypt" hashing function, while the remainder are protected by what is believed to be salted SHA-1 hashes.
"We've confirmed that the proactive password reset we completed last week covered all potentially impacted users," said Dropbox's Head of Trust and Security, Patrick Heim. "We initiated this reset as a precautionary measure, so that the old passwords from prior to mid-2012 can't be used to improperly access Dropbox accounts. We still encourage users to reset passwords on other services if they suspect they may have reused their Dropbox password."
In a set of files obtained through sources in the database trading community and Leakbase, Motherboard found evidence relating to 68,680,741 Dropbox accounts, including email addresses and hashed, or salted, passwords. An unnamed Dropbox employee verified the data's legitimacy.
It is unclear how many users have been impacted by the hack dating back to 2012, but today's report is the first to offer detail on the previously disclosed breach.
Last week Dropbox sent out emails alerting an unknown number of users that they might be prompted to change their password if they had not done so since mid-2012. The company said the measure was "purely preventative," apologized for the inconvenience and directed users looking for further details to a Help Center webpage. The FAQ runs through the password reset process and, about halfway down the page, reveals the impetus behind the new protocol.
Our security teams are always watching out for new threats to our users. As part of these ongoing efforts, we learned about an old set of Dropbox user credentials (email addresses plus hashed and salted passwords) that we believe were obtained in 2012. Our analysis suggests that the credentials relate to an incident we disclosed around that time.
Based on our threat monitoring and the way we secure passwords, we don't believe that any accounts have been improperly accessed. Still, as one of many precautions, we're requiring anyone who hasn't changed their password since mid-2012 to update it the next time they sign in.
Within Motherboard's cache of user data, almost 32 million of the passwords are secured using the "bcrypt" hashing function, while the remainder are protected by what is believed to be salted SHA-1 hashes.
"We've confirmed that the proactive password reset we completed last week covered all potentially impacted users," said Dropbox's Head of Trust and Security, Patrick Heim. "We initiated this reset as a precautionary measure, so that the old passwords from prior to mid-2012 can't be used to improperly access Dropbox accounts. We still encourage users to reset passwords on other services if they suspect they may have reused their Dropbox password."
Comments
I've been prompted for several of my accounts, but none of them have prompted me to choose a new password upon login. That leaves one feeling puzzled in and of itself.
I knew there was a reason why I've been avoiding Dropbox.
It is inexcusable for a company like Dropbox to drop the ball like they did. Really. I didn't even know anything about a breach back in 2012. What measures were in place since then to now to ensure that no one hacked into my account and did something nefarious in there?
Having said that, Dropbox is still an excellent service.
It's like being pushed down a cliff, and then out of purely preventive reasons hand you the phone number of a doc. Oh, but do this a few years after the incident.
I use dropbox and iCloud, but such things do not foster my confidence in cloud solutions. What's worse: the fact that it happened, or telling you four years after the fact?
I imagne that Apple tried to sidestep such a massive implementation by trying to buy Dropbox. In the end the went with with their own solution built on low level services.
Bad news.