The company had around 100m customers at the time, meaning the data dump represents over two-thirds of its user accounts.
Advertisement
Earlier this week, Dropbox reset user passwords for all accounts that hadn’t changed them since 2012, following its discovery of a file containing hashed and salted passwords that were obtained in a previous security breach.
A stolen password was also used to access an employee Dropbox account containing a project document with user email addresses.
Based on our threat monitoring and the way we secure passwords, we don’t believe that any accounts have been improperly accessed.
“For the most part until we (or someone else) figures out how they [the passwords] were hashed, the database is useless other than knowing who registered for Dropbox for [sending] spam emails”, LeakedSource added.
A spokesperson told The Register “We are confident that this is not a new incident; this data is from 2012, and these credentials were covered by the password reset”.
Those customers who also used the same password on Dropbox as other services should also ensure their passwords on other websites are updated. At the time of the breach, Dropbox was moving away from using the encryption algorithm SHA-1, a standard algorithm at the time, and replacing it with the more robust standard called bcrypt.
However, 36 million of the passwords used the now dated SHA1 hash, which isn’t as secure, although Dropbox did additional encryption which according to Motherboard does not seem to have been breached.
In a November 2012 interview with Forbes, Dropbox CEO Drew Houston said the service had drawn around 100 million users, double from the same a year prior. The company did not publish an exact figure on the number of resets, and said it had taken the move proactively.
The company admitted the 2012 breach once again and revealed that it discovered some old Dropbox user records exchanged online. Dropbox recently initiated password resets for all its users, after uncovering accounts online which appeared to be linked to the massive LinkedIn breach.
Security researcher Troy Hunt confirmed that the hacked data was real by checking his wife’s details for the cloud storage service.
And keep in mind to enable two-factor authentication and to avoid sharing your passwords across multiple services-a Dropbox employee’s own lax practices enabled the theft of all this information in the first place.
Dropbox is anxious, we get that. An unnamed senior Dropbox employee confirmed that the data analysed appeared to be legitimate.
Advertisement
And again, this happened in 2012, when Dropbox was still a young company (worth only $4 billion, compared to its $10 billion valuation now).
