Dropbox confirms exposure of 68M account credentials, says no evidence of improper access

Posted:
in General Discussion edited August 2016
Dropbox has confirmed reports claiming a data breach in 2012 disclosed the credentials of more than 68 million accounts, but notes an internal investigation uncovered no indication of improper account access.




Last week, Dropbox sent out emails saying customers who signed up for the service prior to mid-2012, and have not changed their password since then, would be forced to do so the next time they sign in. At the time, the company provided an FAQ webpage on the reset process, stating the measure was "purely preventative."

A subsequent report from Motherboard on Tuesday claimed to have evidence that a previously disclosed data breach from 2012 released details of 68,680,741 Dropbox accounts, including email addresses and hashed, or salted, passwords. The cloud storage company responded today.

"The list of email addresses with hashed and salted passwords is real, however we have no indication that Dropbox user accounts have been improperly accessed," the company said. "We're very sorry this happened and would like to clear up what's going on."

Two weeks ago, Dropbox heard rumors that a list of user credentials was circulating in the wild, the company said. Following an investigation, it concluded the now-confirmed account details were likely garnered surreptitiously during a data breach in 2012. To ensure the stolen passwords would not be used, the company implemented a forced password reset for a subset of users, then sent notifications alerting customers of the new policy.

According to Motherboard, some 32 million listed passwords are secured using bcrypt hashing function, while the remainder are encrypted using what is believed to be salted SHA-1 hashes. While not completely secure, the protections are reasonably difficult to crack.

That being said, some people use the same password across multiple services. If an unlucky user's email and password were to have leaked in a separate breach, the data could theoretically be matched to gain access to their Dropbox account, or vice-versa if a hacker is able to crack the salted Dropbox password. For this reason, Dropbox suggests users change reused passwords.

The company also warns users to be on the lookout for spam or phishing attempts, as emails were included in the list.

Comments

  • Reply 1 of 5
    Yup.
    I knew there was a reason why I have avoided Dropbox.
    lollivertallest skil
  • Reply 2 of 5
    SoliSoli Posts: 8,692member
    Because I use a password manager with an excessively long and complex randomly generated password, plus 2FA, I hadn't change it since before this breach. I don't suspect anything wrong with my account since 2FA would let me know if a code was requested and any access would have sent me an email letting me know the OS, browser, location, and time my account was accessed, but I changed them anyway.

    For good measure, I'll start renewing all my accounts with passwords over 3 years old. 1Password's Security Audit section makes easy work of this.
    lolliverleighc-sfofastasleepjony0
  • Reply 3 of 5
    SoliSoli Posts: 8,692member
    sockrolid said:
    Yup.
    I knew there was a reason why I have avoided Dropbox.
    No system is unhackable and I put Dropbox in my top 10 for companies that has taken security and the user-experience very seriously. 
    leighc-sfojony0
  • Reply 4 of 5
    ajlajl Posts: 98member
    Dropbox emails me too despite I'd changed the password last year. This would mean the disclosed accounts are more than 68M. Anyway, last year I've enabled the two-step verification code: maybe the better way to keep a Dropbox account safe.
    lolliver
  • Reply 5 of 5
    mattinozmattinoz Posts: 1,023member
    Soli said:
    sockrolid said:
    Yup.
    I knew there was a reason why I have avoided Dropbox.
    No system is unhackable and I put Dropbox in my top 10 for companies that has taken security and the user-experience very seriously. 
    Really? I'd have them up there with Linked In or the ABS as poor security with a tendency to sweep under the rug first admit issue when pushed.

Sign In or Register to comment.