Account Information of 68 Million Dropbox Users Stolen in 2012 Breach
The account details for more than 68 million Dropbox users have been hacked. While the breach initially occurred in 2012, the full extent of the hack is just now being revealed.
This week, Dropbox found account details related to the earlier breach, and emailed customers asking them to reset their passwords. The reset request was only directed to users who had joined before 2012 and who had not changed their password since. The company did not announce the exact number of resets but said they were taking these measures to be proactive.
“Our security teams are always watching out for new threats to our users. As part of these ongoing efforts, we learned about an old set of Dropbox user credentials (email addresses plus hashed and salted passwords) that we believe were obtained in 2012. Our analysis suggests that the credentials relate to an incident we disclosed around that time,” the company wrote.
“We’ve confirmed that the proactive password reset we completed last week covered all potentially impacted users,” said Patrick Heim, Head of Trust and Security for Dropbox. “We initiated this reset as a precautionary measure, so that the old passwords from prior to mid-2012 can’t be used to improperly access Dropbox accounts. We still encourage users to reset passwords on other services if they suspect they may have reused their Dropbox password.”
Motherboard obtained a selection of the hacked data, which included email addresses and hashed passwords. The files, which a senior Dropbox employee confirmed were legitimate, contained 5 GB and details on 68,980,741 accounts. A Dropbox spokesperson told Motherboard there was no evidence of malicious access to these accounts.
To make accounts safer, Dropbox has changed its password hashing practices since 2012. Nearly 32 million of the passwords that Motherboard tested were secured with bcrypt, which means it is unlikely that hackers could crack the code and get the user’s real password. The others were secured with an aging SHA-1 algorithm, but they were also salted, which makes them more difficult to hack.