Hackers Will Cost $2 Trillion in Damages by 2019
August 31, 2016 by

Hackers Stole Over 60 Million Dropbox Account Details

Dropbox’s recent mandate of getting a certain group of users – those registered with the cloud storage firm in or before 2012 – is due to what is now revealed to be a massive breach of over 60 million Dropbox user accounts.

Hackers stole over 60 million user accounts from popular cloud storage platform Dropbox, in a 2012 breach. While certain details of the breach were disclosed at the time, the actual number of affected users remained under wraps, until today.

Dropbox even saw fit to recently issue mandatory password resets for its users last week. According to a report on Motherboard, four files totaling nearly 5GB of data, contained over 68 million account details of Dropbox users. An unnamed senior Dropbox employee confirmed that the data analyzed was indeed legitimate.

Troy Hunt, a notable cybersecurity researcher and owner of popular breach notification website HaveIbeenpwned verified the data to confirm:

There is no doubt whatsoever that the data breach contains legitimate Dropbox passwords, you simply can’t fabricate this sort of thing. 

Dropbox recently stated that its security team had learned of an “old set” of Dropbox user credentials obtained from the 2012 breach.

“Based on our threat monitoring and the way we secure passwords, we don’t believe that any accounts have been improperly accessed,” Dropbox wrote, insisting that there was no evidence of malicious play involving any Dropbox user accounts. ”Still, as one of many precautions, we’re requiring anyone who hasn’t changed their password since mid-2012 to update it the next time they sign in,” it confirmed.

Meanwhile, an analysis of the data dump revealed that 32 million passwords were secured with the strong hashing function bcrypt. This means that hackers are unlikely to obtain the actual passwords of users. The remaining passwords used SHA-1, what is now a legacy algorithm. However, the hashes also used a salt, making it tougher to crack the passwords due to a random string added to password hashing process.

In what comes as somewhat of a relief, none of the major dark web marketplaces where cybercriminals routinely trade their wares show any listing for the data dump.

Image credit: Pixabay.

About the author

Image of Author

LIFARS is the global leader in Digital Forensics and Cyber Resiliency Services. Our experience spans two decades working on high profile events, often in concert with Law Enforcement Agencies around the world. Our proprietary methodology derives directly and indirectly from our experience working with and for U.S. Intelligence Agencies, Interpol, Europol, and NATO. We are solely dedicated to Cyber Resiliency and thus pay close attention to all aspects of our clients’ engagements experience while providing a strategic and integrated array of services to minimum risk and disruption while protecting your brand.

Related articles

Data Breach: Florida Warns of 30,000 Medical Records Leak Due to Phishing

Florida’s health agency has warned of a data breach that may have exposed the data of up to 30,000...

Read more arrow_forward

India’s National ID Database of 1.2 Billion People Breached for $8

An Indian news publication has reported that the government’s biggest citizen database, a register...

Read more arrow_forward

Security Researchers Discover Trove of 1.4 Billion Credentials

Security researchers at dark web monitoring firm 4iQ have stumbled upon a massive 41GB data file of...

Read more arrow_forward