Dropbox prevalent cloud storage firm has been hacked, with almost 68 million users’ email addresses and passwords plunked on to the internet.The attack dates back to 2012. Dropbox allegedly reported a collection of user’s email addresses had been stolen. It did not mention anything regarding passwords being stolen as well.
The dump of passwords case came to light once the database was pulled out up by security notification service Leakbase, which was then sent to Motherboard.
The Dropbox Hack : 68 Million User Accounts Affected
Troy Hunt, a neutral security researcher and operator of the “Have I been pwned?” data leak database, confirmed that the news once he discovered both his account details and of his wife. Hunt said: “There is no doubt whatsoever that the data breach contains legitimate Dropbox passwords, you simply can’t fabricate this sort of thing.”
A notification was sent out by Dropbox last week to all users who had not changed their passwords since 2012. The business counted around 100m customers at the time, implying the data dump signifies over two-thirds of its user accounts. At the time Dropbox practiced good user data security practice, encrypting the passwords and appears to have been in the process of upgrading the encryption from the SHA1 standard to a more secure standard called bcrypt. Half the passwords were still encoded with SHA1 at the time of the theft.
“The bcrypt hashing algorithm protecting [the passwords] is very resilient to cracking and frankly, all but the worst possible password choices are going to remain secure even with the breach now out in the public,” said Hunt. “Definitely still change your password if you’re in any doubt whatsoever and make sure you enable Dropbox’s two-step verification while you’re there if it’s not on already.”
The company has not said precisely mentioned how many users’ passwords Dropbox has reset at the time. The hack emphasizes the need for tighter security, both at the user end – the use of strong passwords, two-step verification and no reuse of passwords – and for the companies storing user the data.
Use of a Password manager is as Important as Having a Secure Password
The use of a password manager is recommended by leading security experts to safeguard the scores of unique and complex passwords required to properly secure the numerous login details needed for daily life. Recent attacks on companies including browser maker Opera, which stores and syncs user passwords, and password manager OneLogin, have revealed the underlying threats of using the tool.
“There is no indication that Dropbox user accounts have been improperly accessed. Our analysis confirms that the credentials are user email addresses with hashed and salted passwords that were obtained prior to mid-2012. We can confirm that the scope of the password reset we completed last week did protect all impacted users.” A Dropbox spokesperson said.