When hackers infiltrated Dropbox in 2012 they made off with credentials for roughly 68 million users.
The fact that the online storage site was hacked four years ago was no secret. But details around the sheer size of the stolen database, which contains users’ email addresses plus hashed and salted passwords from 2012, were unknown until Tuesday, when a 5 gigabyte cache of the credentials began making the rounds on database trading sites this week, according to Motherboard.
Troy Hunt, who runs the data breach repository HaveIBeenPwned.com, verified the database, which consists of information on 68,648,009 Dropbox users.
Hunt claims the leak is four sets of files; two containing email addresses and bcrypt hashes, and another two containing email addresses and SHA1 hashes. The difference in cryptographic hash function assumes the company shifted the algorithm it used at one point, likely back in 2012.
In combing through the data, Hunt was able to verify a bcrypt hash of his wife’s 2012 unique Dropbox password matched her actual password; something that easily convinced him the breach was legitimate.
“There is no doubt whatsoever that the data breach contains legitimate Dropbox passwords, you simply can’t fabricate this sort of thing,” Hunt wrote in a blog entry on Wednesday.
The 68-million users figure comes six days after the site forced a password reset for users who hadn’t updated their passwords since 2012.
Resetting passwords to keep your files safe https://t.co/YmG4uGUeHQ
— Dropbox (@Dropbox) August 25, 2016
The company’s Head of Trust and Security Patrick Heim informed users last week that the move was a “preventative measure” and claimed it was spurred by the discovery of a cache of older Dropbox user credentials. Heim didn’t specify exactly how many accounts had been implicated in the breach.
Heim stressed in a statement provided to Threatpost on Wednesday that the leaked database consists of old, hashed and salted passwords that were reset last week.
“This is not a new security incident, and there is no indication that Dropbox user accounts have been improperly accessed. Our analysis confirms that the credentials are user email addresses with hashed and salted passwords that were obtained prior to mid-2012,” Heim said Wednesday.
“We can confirm that the scope of the password reset we completed last week did protect all impacted users. Even if these passwords are cracked, the password reset means they can’t be used to access Dropbox accounts. The reset only affects users who signed up for Dropbox prior to mid-2012 and hadn’t changed their password since,” he said.
Like he did last week, Heim again encouraged Dropbox users, if they haven’t already, to implement two-step verification on their accounts. He also cautioned any users who may have used the same 2012 Dropbox password on another site, to remain vigilant, and naturally, if they haven’t already done so, change that password.
Dropbox was initially tight-lipped about the breach in the weeks after it happened in 2012. For weeks that July users were hit with spam emails advertising casinos and gambling sites. It wasn’t until August that the company confirmed there had been an incident and began implementing two-factor authentication.
The hack is the latest in a long line of years-old password-related leaks and breaches to come to light this summer.
Myspace was hacked in 2008 but it wasn’t until the end of May that the details on 360 million of its users – including their email addresses and the unsalted SHA-1 hashes of the first 10 characters of their passwords – were leaked. The scope of the 2012 LinkedIn hack became clearer in May as well after 117 million credentials from the site were put up for sale and corresponding hashed passwords were subsequently cracked.
Attackers have also leaked old credentials from VK, Yahoo, and Tumblr over the past few months.
