Dropbox’s recent mandate of getting a certain group of users – those registered with the cloud storage firm in or before 2012 – is due to what is now revealed to be a massive breach of over 60 million Dropbox user accounts.
Hackers stole over 60 million user accounts from popular cloud storage platform Dropbox, in a 2012 breach. While certain details of the breach were disclosed at the time, the actual number of affected users remained under wraps, until today.
Dropbox even saw fit to recently issue mandatory password resets for its users last week. According to a report on Motherboard, four files totaling nearly 5GB of data, contained over 68 million account details of Dropbox users. An unnamed senior Dropbox employee confirmed that the data analyzed was indeed legitimate.
Troy Hunt, a notable cybersecurity researcher and owner of popular breach notification website HaveIbeenpwned verified the data to confirm:
There is no doubt whatsoever that the data breach contains legitimate Dropbox passwords, you simply can’t fabricate this sort of thing.
Dropbox recently stated that its security team had learned of an “old set” of Dropbox user credentials obtained from the 2012 breach.
“Based on our threat monitoring and the way we secure passwords, we don’t believe that any accounts have been improperly accessed,” Dropbox wrote, insisting that there was no evidence of malicious play involving any Dropbox user accounts. ”Still, as one of many precautions, we’re requiring anyone who hasn’t changed their password since mid-2012 to update it the next time they sign in,” it confirmed.
Meanwhile, an analysis of the data dump revealed that 32 million passwords were secured with the strong hashing function bcrypt. This means that hackers are unlikely to obtain the actual passwords of users. The remaining passwords used SHA-1, what is now a legacy algorithm. However, the hashes also used a salt, making it tougher to crack the passwords due to a random string added to password hashing process.
In what comes as somewhat of a relief, none of the major dark web marketplaces where cybercriminals routinely trade their wares show any listing for the data dump.
Image credit: Pixabay.