Dropbox, one of the most popular cloud storage firms, has been hacked and more than 68 million users’ passwords and email addresses have leaked to the Internet.However, one unusual fact about this hack is that it happened in 2012. At that time, Dropbox did report the theft of users’ email addresses. However, they did not say a word about the passwords. Since users usually reuse passwords or guessable variations of their password, the data that the hackers possess can allow bad actors to access all sorts of accounts.
All of the passwords came to light when the database was picked up by Leakbase, a security notification service. Leakbase forwarded the data to Motherboard. Troy Hunt, an independent security researcher, verified the data by discovering both his account details and that of his wife. Hunt said:
“There is no doubt whatsoever that the data breach contains legitimate Dropbox passwords, you simply can’t fabricate this sort of thing.”
Last week, Dropbox announced that they had performed a mass account reset. They also claim that they would prompt the users who hadn’t changed their passwords for a long time to do so. Dropbox wrote:
“Our security teams are always watching out for new threats to our users. As part of these ongoing efforts, we learned about an old set of Dropbox user credentials (email addresses plus hashed and salted passwords) that we believe was obtained in 2012. Our analysis suggests that the credentials relate to an incident we disclosed around that time.”
The same year when the hack occurred Dropbox team said that spammers used credentials they obtained in breaches of other websites to access certain Dropbox accounts. They added that one of the company’s employees’ accounts had been hacked this way. By hacking the employees’ accounts more user mail addresses which were stored there were revealed. They never gave any hint at the scale of the breach. Now, it is clear the data spill if far larger than anyone could have assumed.
Who Is Affected?
The answer to this question is that 68,680,741 account owners are affected. Even a senior Dropbox employee revealed to the publication that these credentials were legitimate. However, Dropbox team claims that there was not a sign of intrusion on the compromised accounts and that the owners of those accounts had their passwords reset. In addition, the company encourages all users to enable two-factor authentication and to change passwords on other sites if they are similar to their Dropbox password.
If you are afraid that you might be a victim of this hack, visit HaveIbeenpwned, Troy Hunt’s tool that will tell you if your data is included in the breach.
What Could Be The Consequences Of The Hack?
The good news is that all the passwords in the data dump are hashed. This means that they were encrypted and only scrambled data was exposed. However, some passwords were protected by weaker and others by more robust algorithms.
One thing is for sure. Dropbox team tried to control the damage that has been done by telling their users the password reset emails are “purely a preventative measure.” They are to blame for the fact that affected users’ passwords have been unchanged since 2012. Since 2012, the hackers had enough time not only to crack the encrypted passwords but to also reuse them where they can.
“Having investigated parallel types of cases in prior years … when you have large-scale password leaks like this, the ramifications get felt at a lot of organizations for a long time,” says Ryan Kazanciyan, chief security architect at network security firm Tanium. He believes this leak is similar to the recent breach of years-old Linkedin user data. “It just became an easy starting point for password guessing, because everyone had access to the dump.”
By urging their victims to reset their passwords, Dropbox has finally taken the basic steps necessary to respond to the hack. Hopefully, if another breach happens ever again, Dropbox will alert the victims on time not a few years too late.