We are looking at yet another addition to this year's ongoing list of high-profile data dumps. Dropbox and researchers have confirmed that hackers have stolen over 68 million account credentials from the cloud storage platform.
Softening the blow - not a good idea when it comes to user security
Earlier this week, Dropbox users received an email notification warning users of password resets for a number of accounts. The data dump is linked to a 2012 breach. While the company did inform its users, it could have used a more straightforward tone to push users into taking action. Following email clearly states that it's a "preventative measure," which is definitely not true when data of over 60 million of your users is dumped online. Unless recipients clicked on the added links to learn more, the subject line "Resetting passwords from mid-2012 and earlier," did very less to alert users.
Dropbox is worried, we get that. But, owning up to a 4-year old data breach and resulting dump would only help the company in gaining user trust.
These accounts were stolen during a 2012 breach that was previously disclosed by the company. Dropbox explained that users who have signed up to use Dropbox before mid-2012 and those who haven't changed their password since mid-2012 will be forced to reset their passwords. At the time the email notification was sent out, there was no information about the number of affected users.
68 million Dropbox accounts stolen and dumped online
Now, Motherboard reports that the online Dropbox data dump contains details on 68,680,741 accounts. Weighing at 5GB, these files contain email addresses and hashed passwords of users and are doing rounds in the database trading communities. "The data is legitimate, according to a senior Dropbox employee who was not authorized to speak on the record."
Dropbox had already confirmed this data breach in 2012, and had notified its users to change their passwords. "We’ve confirmed that the proactive password reset we completed last week covered all potentially impacted users," Patrick Heim, Head of Trust and Security for Dropbox said. "We initiated this reset as a precautionary measure so that the old passwords from prior to mid-2012 can't be used to improperly access Dropbox accounts. We still encourage users to reset passwords on other services if they suspect they may have reused their Dropbox password."
Following the mega data dumps of LinkedIn, MySpace, VK.com, and Tumblr, Dropbox data dump is another case where stolen data from years-old breaches has been dumped online or put up for sale. Researchers have said that Dropbox dump isn't listed on any of the major dark web marketplaces, and perhaps doesn't carry much value. Over 32 million of the dumped passwords were secured using a strong hashing function, while the rest are hashed with SHA-1.
Those interested can learn more about the used hashes in Troy Hunt's blog post. You can also check if your account details have been leaked online by searching on HaveIBeenPwned.com.
Dropbox published the following security statement, which can be accessed here in full.
Why did Dropbox prompt this password update?
Our security teams are always watching out for new threats to our users. As part of these ongoing efforts, we learned about an old set of Dropbox user credentials (email addresses plus hashed and salted passwords) that we believe were obtained in 2012. Our analysis suggests that the credentials relate to an incident we disclosed around that time.
Based on our threat monitoring and the way we secure passwords, we don't believe that any accounts have been improperly accessed. Still, as one of many precautions, we’re requiring anyone who hasn’t changed their password since mid-2012 to update it the next time they sign in.