Dropbox has confirmed reports claiming a data breach in 2012 disclosed the credentials of more than 68 million accounts, but notes an internal investigation uncovered no indication of improper account access.
Last week, Dropbox sent out emails saying customers who signed up for the service prior to mid-2012, and have not changed their password since then, would be forced to do so the next time they sign in. At the time, the company provided an FAQ webpage on the reset process, stating the measure was "purely preventative."
A subsequent report from Motherboard on Tuesday claimed to have evidence that a previously disclosed data breach from 2012 released details of 68,680,741 Dropbox accounts, including email addresses and hashed, or salted, passwords. The cloud storage company responded today.
"The list of email addresses with hashed and salted passwords is real, however we have no indication that Dropbox user accounts have been improperly accessed," the company said. "We're very sorry this happened and would like to clear up what's going on."
Two weeks ago, Dropbox heard rumors that a list of user credentials was circulating in the wild, the company said. Following an investigation, it concluded the now-confirmed account details were likely garnered surreptitiously during a data breach in 2012. To ensure the stolen passwords would not be used, the company implemented a forced password reset for a subset of users, then sent notifications alerting customers of the new policy.
According to Motherboard, some 32 million listed passwords are secured using bcrypt hashing function, while the remainder are encrypted using what is believed to be salted SHA-1 hashes. While not completely secure, the protections are reasonably difficult to crack.
That being said, some people use the same password across multiple services. If an unlucky user's email and password were to have leaked in a separate breach, the data could theoretically be matched to gain access to their Dropbox account, or vice-versa if a hacker is able to crack the salted Dropbox password. For this reason, Dropbox suggests users change reused passwords.
The company also warns users to be on the lookout for spam or phishing attempts, as emails were included in the list.
5 Comments
Yup.
I knew there was a reason why I have avoided Dropbox.
Because I use a password manager with an excessively long and complex randomly generated password, plus 2FA, I hadn't change it since before this breach. I don't suspect anything wrong with my account since 2FA would let me know if a code was requested and any access would have sent me an email letting me know the OS, browser, location, and time my account was accessed, but I changed them anyway.
For good measure, I'll start renewing all my accounts with passwords over 3 years old. 1Password's Security Audit section makes easy work of this.