Hackers stole over 60 million user accounts from online cloud storage platform Dropbox in a breach that occurred in 2012. The breach was previously disclosed, however, at the time it was still unknown as to how many users had been affected. Dropbox recently initiated password resets for all its users, after uncovering accounts online which appeared to be linked to the massive LinkedIn breach.
According to Motherboard, a total of 5GB worth of files – containing 68,680,741 accounts – were uncovered. An unnamed senior Dropbox employee confirmed that the data analysed appeared to be legitimate. One unnamed hacker claimed to already have access to the data.
"We've confirmed that the proactive password reset we completed last week covered all potentially impacted users," said Patrick Heim, Head of Trust and Security for Dropbox. "We initiated this reset as a precautionary measure, so that the old passwords from prior to mid-2012 can't be used to improperly access Dropbox accounts. We still encourage users to reset passwords on other services if they suspect they may have reused their Dropbox password."
Almost 32 million of the passwords are allegedly secured with the strong password hashing function bcrypt. This indicates that it may be unlikely for hackers to access users' actual passwords and additional details. The remaining passwords analysed appeared to be hashed with SHA-1. The password hashes also appeared to have used a salt, which is a random coding string applied as an additional security measure in the password hashing process, in efforts to strengthen them.
Fortunately, there is no indication yet of the Dropbox accounts dump appearing on any of the major dark web marketplaces. Reports speculate that this may be due to the strong password hashing used by Dropbox, which would make the data stolen significantly less valuable to cybercriminals trading stolen credentials in the digital underground.
Dropbox is not the only firm to be impacted by the breach, which saw hackers listing over 100 million user accounts for sale on the dark web. Shortly after the breach, tech giants like Facebook and Netflix also issued out password resets for their users as a pre-emptive strike.
IBTimes UK was contacted by Dropbox's press office with the following comments, which stress that the stolen accounts stemmed not from an internal breach but from a breach at another site, combined with password reuse, which caused an issue with user credentials.
"Since our original post, there have been many reports about the exposure of 68 million Dropbox credentials from 2012. The list of email addresses with hashed and salted passwords is real, however we have no indication that Dropbox user accounts have been improperly accessed. We're very sorry this happened and would like to clear up what's going on," said Patrick Heim, Dropbox's Global Head of Security in a blog post.