Dropbox data breach from 2012 affected 68 million users

By Jos · 7 replies
Aug 31, 2016
Post New Reply
  1. Last week, Dropbox users with an account prior to mid-2012 that hadn’t changed their password since were prompted to do so the next time they sign in. The move was billed as a “preventive measure” but apparently there’s more to the story: security researchers claim the details of 68,680,741 user accounts have been leaked onto the dark web, complete with their email addresses and hashed passwords, as the result of a data breach back in 2012.

    The data dump came to light after it was picked up by security notification service Leakbase, which sent the 5GB file to Motherboard. The latter says it was able to get confirmation from a "senior Dropbox employee" speaking on the condition of anonymity that the leaked data is genuine. The company had around 100 million customers at the time, meaning the data dump represents over two-thirds of its user accounts.

    It’s not all bad news, however. According to security expert Troy Hunt the files, Dropbox did use strong encryption practices, and appears to have been in the process of upgrading to a more secure standard called bcrypt. According to Hunt, “all but the worst possible password choices are going to remain secure even with the breach now out in the public.”

    Dropbox's security boss Patrick Heim also says that there’s no indication that Dropbox user accounts have been improperly accessed. However, affected users who may have reused their password on other sites should take steps to make their passwords both on Dropbox and other sites, strong and unique, and enabling two-step verification.

    If you are among those affected by the breach you should have received a notification already prompting you to change your password. You can also check whether your data was breached in this or other security incidents at Have I Been Pwned -- a site maintained by Hunt.

    Permalink to story.

  2. DaveBG

    DaveBG TS Addict Posts: 303   +97

    I have personally entered several random dropbox accounts (did not do anything just viewed some photos of babies!) at the time they were furiously denying it :D
  3. Kibaruk

    Kibaruk TechSpot Paladin Posts: 3,286   +902

    This is a huge issue for such service, good thing my personal policy is activate 2 step auth everywhere that has, and also to change the passwords every now and then. This still leaves a bitter aftertaste.

    How can he assure such a thing?
    Last edited: Sep 1, 2016
    AnonymousSurfer likes this.
  4. AnonymousSurfer

    AnonymousSurfer TS Guru Posts: 452   +40

    How can they be allowed to not report it for 4 years? That is the biggest thing that pissed me off.

    I got hacked on several accounts in 2014 by some Russian IP. I used the same dropbox password for a couple of things, but not all of my accounts. Well, sure enough they got hacked, however no changes were made to my dropbox account. No file changes, no password changes, none of that.

    If they know someone has hacked their systems and is out selling the millions of stolen emails/passwords etc, they should inform their users of it. It's ridiculous they let it go for four years. That's some shady NSA style BS that a company should not be allowing to happen. Not without some sort of repercussions.
  5. treetops

    treetops TS Evangelist Posts: 2,073   +219

    The Amish were right all along!
  6. DaveBG

    DaveBG TS Addict Posts: 303   +97

    it was reported by some independent media sites, but all those posts were quickly shot down by numerous commenters with low count comments, that said things like :"its a lie" "bs" "fud" and so on... so I just thought someone has prepaid for a long time... so I have sent (in PM) to several of those posters some accounts to test for themselves... strangely enough never heard back and those accounts were no longer accessible with the same pass soon after...

    I just want to point that dropbox is shitty insecure service , with greedy intentions that should not be used by anyone.
  7. AnonymousSurfer

    AnonymousSurfer TS Guru Posts: 452   +40

    I have nothing of any real value on dropbox, I use it as a coordless USB between computers when transferring word docs and text files. I would have preferred if only my dropbox had been hacked as opposed to gmail, psn, and a couple others.

    The fault was mine with using the same password across multiple sites. That has since been changed. I made sure to do that after recovering my other accounts
  8. Kibaruk

    Kibaruk TechSpot Paladin Posts: 3,286   +902

    No it's not, it's secure for the most part, if you've added 2 step authentication (As recommended much about everywhere) and used a unique password for the service, it would've not been an issue at all.

    When you use something over the internet you should always expect it to try to get hacked.

Similar Topics

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...