Dropbox recently notified users of a potential forced password reset after its security team discovered a batch of account credentials believed to have been obtained from a known 2012 data breach. While the initial announcement failed to specify the exact number of impacted users, a report on Tuesday puts the number at well over 68 million.
In a set of files obtained through sources in the database trading community and Leakbase, Motherboard found evidence relating to 68,680,741 Dropbox accounts, including email addresses and hashed, or salted, passwords. An unnamed Dropbox employee verified the data's legitimacy.
It is unclear how many users have been impacted by the hack dating back to 2012, but today's report is the first to offer detail on the previously disclosed breach.
Last week Dropbox sent out emails alerting an unknown number of users that they might be prompted to change their password if they had not done so since mid-2012. The company said the measure was "purely preventative," apologized for the inconvenience and directed users looking for further details to a Help Center webpage. The FAQ runs through the password reset process and, about halfway down the page, reveals the impetus behind the new protocol.
Our security teams are always watching out for new threats to our users. As part of these ongoing efforts, we learned about an old set of Dropbox user credentials (email addresses plus hashed and salted passwords) that we believe were obtained in 2012. Our analysis suggests that the credentials relate to an incident we disclosed around that time.
Based on our threat monitoring and the way we secure passwords, we don't believe that any accounts have been improperly accessed. Still, as one of many precautions, we're requiring anyone who hasn't changed their password since mid-2012 to update it the next time they sign in.
Within Motherboard's cache of user data, almost 32 million of the passwords are secured using the "bcrypt" hashing function, while the remainder are protected by what is believed to be salted SHA-1 hashes.
"We've confirmed that the proactive password reset we completed last week covered all potentially impacted users," said Dropbox's Head of Trust and Security, Patrick Heim. "We initiated this reset as a precautionary measure, so that the old passwords from prior to mid-2012 can't be used to improperly access Dropbox accounts. We still encourage users to reset passwords on other services if they suspect they may have reused their Dropbox password."