Dropbox data breach from 2012 affected 68 million users

Jos

Posts: 3,073   +97
Staff

Last week, Dropbox users with an account prior to mid-2012 that hadn’t changed their password since were prompted to do so the next time they sign in. The move was billed as a “preventive measure” but apparently there’s more to the story: security researchers claim the details of 68,680,741 user accounts have been leaked onto the dark web, complete with their email addresses and hashed passwords, as the result of a data breach back in 2012.

The data dump came to light after it was picked up by security notification service Leakbase, which sent the 5GB file to Motherboard. The latter says it was able to get confirmation from a "senior Dropbox employee" speaking on the condition of anonymity that the leaked data is genuine. The company had around 100 million customers at the time, meaning the data dump represents over two-thirds of its user accounts.

It’s not all bad news, however. According to security expert Troy Hunt the files, Dropbox did use strong encryption practices, and appears to have been in the process of upgrading to a more secure standard called bcrypt. According to Hunt, “all but the worst possible password choices are going to remain secure even with the breach now out in the public.”

Dropbox's security boss Patrick Heim also says that there’s no indication that Dropbox user accounts have been improperly accessed. However, affected users who may have reused their password on other sites should take steps to make their passwords both on Dropbox and other sites, strong and unique, and enabling two-step verification.

If you are among those affected by the breach you should have received a notification already prompting you to change your password. You can also check whether your data was breached in this or other security incidents at Have I Been Pwned -- a site maintained by Hunt.

Permalink to story.

 
I have personally entered several random dropbox accounts (did not do anything just viewed some photos of babies!) at the time they were furiously denying it :D
 
This is a huge issue for such service, good thing my personal policy is activate 2 step auth everywhere that has, and also to change the passwords every now and then. This still leaves a bitter aftertaste.

Dropbox's security boss Patrick Heim also says that there’s no indication that Dropbox user accounts have been improperly accessed.
How can he assure such a thing?
 
Last edited:
This is a huge issue for such service, good thing my personal policy is activate 2 step auth everywhere that has, and also to change the passwords every now and then. This still leaves a bitter aftertaste.

Dropbox's security boss Patrick Heim also says that there’s no indication that Dropbox user accounts have been improperly accessed.
How can he assure such a thing?

How can they be allowed to not report it for 4 years? That is the biggest thing that pissed me off.

I got hacked on several accounts in 2014 by some Russian IP. I used the same dropbox password for a couple of things, but not all of my accounts. Well, sure enough they got hacked, however no changes were made to my dropbox account. No file changes, no password changes, none of that.

If they know someone has hacked their systems and is out selling the millions of stolen emails/passwords etc, they should inform their users of it. It's ridiculous they let it go for four years. That's some shady NSA style BS that a company should not be allowing to happen. Not without some sort of repercussions.
 
How can they be allowed to not report it for 4 years? That is the biggest thing that pissed me off.
it was reported by some independent media sites, but all those posts were quickly shot down by numerous commenters with low count comments, that said things like :"its a lie" "bs" "fud" and so on... so I just thought someone has prepaid for a long time... so I have sent (in PM) to several of those posters some accounts to test for themselves... strangely enough never heard back and those accounts were no longer accessible with the same pass soon after...


I just want to point that dropbox is shitty insecure service , with greedy intentions that should not be used by anyone.
 
it was reported by some independent media sites, but all those posts were quickly shot down by numerous commenters with low count comments, that said things like :"its a lie" "bs" "fud" and so on... so I just thought someone has prepaid for a long time... so I have sent (in PM) to several of those posters some accounts to test for themselves... strangely enough never heard back and those accounts were no longer accessible with the same pass soon after...


I just want to point that dropbox is shitty insecure service , with greedy intentions that should not be used by anyone.

I have nothing of any real value on dropbox, I use it as a coordless USB between computers when transferring word docs and text files. I would have preferred if only my dropbox had been hacked as opposed to gmail, psn, and a couple others.

The fault was mine with using the same password across multiple sites. That has since been changed. I made sure to do that after recovering my other accounts
 
I just want to point that dropbox is shitty insecure service , with greedy intentions that should not be used by anyone.
No it's not, it's secure for the most part, if you've added 2 step authentication (As recommended much about everywhere) and used a unique password for the service, it would've not been an issue at all.

When you use something over the internet you should always expect it to try to get hacked.
 
Back