Any Dropbox users who haven’t updated their passwords over the past four years should do so immediately because more than 68 million records from Dropbox accounts hacked in 2012 have now appeared online, the file sharing and online storage company said.
First reported by Motherboard yesterday, the Dropbox files showing up online included both user email addresses and hashed passwords. The information appears to have stemmed from a breach reported by Dropbox in 2012, the publication said.
This latest development indicates that the 2012 breach had the potential for far more fallout than Dropbox initially revealed to users. At the time, the company said a stolen employee password had enabled unauthorized access to a project document containing user email addresses, resulting in spam being sent to some of those users.
No Signs of Improper Access
Users who signed up for the service before mid-2012 and haven’t changed their passwords since then would receive a prompt to update them the next time they signed in, Patrick Heim, Dropbox’s head of trust and security, wrote in a blog post last week. While there was no sign that users accounts had been improperly accessed, Dropbox’s security teams recommended such precautions based on threat monitoring related to old credentials that were hacked in 2012, he said.
Heim offered more details about those precautions yesterday in a blog post update. “Since our original post, there have been many reports about the exposure of 68 million Dropbox credentials from 2012,” Heim said. “The list of email addresses with hashed and salted passwords is real, however we have no indication that Dropbox user accounts have been improperly accessed.”
After apologizing for the incident, Heim noted that Dropbox had already emailed “all users we believed were affected and completed a password reset for anyone who hadn’t updated their password since mid-2012.” That ensures that even if hackers could crack the compromised credentials, they would not be able to access users’ Dropbox accounts.
‘If in Doubt,’ Change Password
“There is no doubt whatsoever that the data breach contains legitimate Dropbox passwords, you simply can’t fabricate this sort of thing,” security developer Troy Hunt wrote yesterday on his blog. He said he analyzed files provided to him by a supporter and found both his and his wife’s passwords in the files.
However, those passwords appeared as records that were hashed for security using the password hashing functions bcrypt or SHA-1 (secure hash algorithm 1), added Hunt, who provides online security training through Pluralsight and also runs the breach-related site, Have I been pwned?
“Not only was the password itself solid, but the bcrypt hashing algorithm protecting it is very resilient to cracking and frankly, all but the worst possible password choices are going to remain secure even with the breach now out in the public,” Hunt noted. However, he recommended that Dropbox users “in any doubt” change their passwords and enable two-step verification for added security.
People using online services such as Dropbox should also delete old accounts they no longer use, avoid reusing the same passwords on multiple sites and be wary of third-party integration that lets users, for example, access games or other applications via a Facebook or Dropbox login, said Kaspersky Lab’s Jeffrey Esposito in a separate blog post yesterday.
The Dropbox breach “is another eye-opener and an important example of how criminals continue to target digital identities,” Esposito said.