Usernames and passwords of over 68 million Dropbox users have been leaked online

In 2012, cloud storage service provider Dropbox disclosed that hackers had gained access to a project document containing Dropbox user email addresses, through a compromised employee account. The company reported that all impacted users had been contacted and their accounts protected with forced password resets. There was no mention of the exact number of users impacted or that passwords had also been stolen.

Now, four years after the fact, the true extent of the hack has been revealed.

In a recent post, the tech blogging and news website, Motherboard, reported that it has obtained account details of more than 68 million Dropbox users, from the breach notification service, Leakbase. The files containing Dropbox user credential (email addresses and passwords) has been linked back to the 2012 hack.

According to Motherboard, a senior Dropbox employee has verified the legitimacy of this data.

 

The Impact

Although the stolen files have not yet appeared on the dark web, Dropbox joins a growing list of high profile data breaches targeting social networking and other organisations. The list includes LinkedIn and Tumblr, whose user credentials were sold online, following years-old data breaches.

Dropbox has not yet seen any malicious access of these accounts. It has been reported that all of the stolen passwords were hashed and salted making this incident less devastating for users than it otherwise might have been.

Of the stolen passwords, around 32 million were secured using the hashing function BCrypt, while the rest were hashed with the SHA-1 hashing algorithm. These password hashes are also believed to have used a Salt – a random string added to the hashing process to further strengthen passwords, making them very difficult to crack.

Dropbox has also changed its password hashing practices several times since 2012, in order to keep passwords secure.

The company launched a major password reset, a week before the leak become public. “We’ve confirmed that the proactive password reset we completed last week covered all potentially impacted users,” said Patrick Heim, Head of Trust and Security for Dropbox. “Even if these passwords are cracked, the password reset means they can’t be used to access Dropbox accounts.”

However, Heim did add, “While Dropbox accounts are protected, affected users who may have reused their password on other sites should take steps to protect themselves on those sites.”

 

The Takeaway

Incidents like these reiterate the importance of ongoing password management to mitigate the impact of such breaches. There are simple steps that you can take to strengthen your online security:

  • Avoid using the same password across different websites and different accounts.
  • Change your passwords frequently.
  • Do not store copies of your password in documents that others can access. Instead, use a good password manager (you can also use a password manager to create complex passwords that are harder to crack).
  • When possible, access your accounts only from secure devices. If you are using a non-personal device, always remember to sign out at the end of your session.
  • Enable two-step verification where available. This will necessitate two proofs of identity (such as your password and a temporary code sent to your phone) when signing in.

 

If you are a Dropbox user and have concerns about your data security and privacy, you can visit the Dropbox help centre for more information.

If you would like more information on internet security, or if you would like to arrange training sessions for your staff, contact the blueAPACHE account team.