Dropbox hackers stole e-mail addresses, hashed passwords from 68M accounts

Dropbox hackers stole e-mail addresses, hashed passwords from 68M accounts

“Scope of password reset completed last week protected all impacted users,” says Dropbox.

Written by Tom Mendelsohn / Courtesy of ArsTechnica

Dropbox hurriedly warned its users last week to change their passwords if their accounts dated back prior to mid-2012. We now know why: the cloud-based storage service suffered a data breach that’s said to have affected more than 68 million accounts compromised during a hack that took place roughly four years ago.

The company had previously admitted that it was hit by a hack attack, but it’s only now that the scale of the operation has seemingly come to light.

Tech site Motherboard reported—citing “sources in the database trading community”—that it had obtained four files, totalling 5GB in size, which apparently contained e-mail addresses and hashed passwords for 68,680,741 Dropbox users.

A senior Dropbox employee was quoted as saying, unofficially, that the data was legit.

The hack was later confirmed by Australian security expert Troy Hunt—the man behind haveIbeenpwned.com—who claimed to have seen the data. After performing his own tests, he said: “There is no doubt whatsoever that the data breach contains legitimate Dropbox passwords.”

Dropbox’s security boss Patrick Heim later insisted that it was “not a new security incident,” claiming that “there is no indication that Dropbox user accounts have been improperly accessed.” He said:

Our analysis confirms that the credentials are user e-mail addresses with hashed and salted passwords that were obtained prior to mid-2012. We can confirm that the scope of the password reset we completed last week did protect all impacted users.

Even if these passwords are cracked, the password reset means they can’t be used to access Dropbox accounts. The reset only affects users who signed up for Dropbox prior to mid-2012 and hadn’t changed their password since.

While Dropbox accounts are protected, affected users who may have reused their password on other sites should take steps to protect themselves on those sites. The best way to do this is by updating these passwords, making them strong and unique, and enabling two-step verification.

Individuals who received a notification from Dropbox should also be alert to spam or phishing.

But the company hasn’t publicly confirmed or denied that more than 68 million accounts had been compromised in the attack.

Dropbox “seems to have handled this really well,” Hunt added, noting that it had e-mailed everyone who was apparently affected, forcing password resets in a timely manner, and using a strong hashing algorithm to protect the information. “Frankly,” he said, “all but the worst possible password choices are going to remain secure even with the breach now out in the public.”

Update

In response to Ars’ question about the number of accounts affected by the hack, a Dropbox spokesperson told us after publication of this story: “We can confirm that based on our intelligence number we have seen is in the 60+ mil range.”

Read the original article over at ArsTechnica.