A major security breach happened at Dropbox in 2012, and the popular cloud file-sharing company was quick to acknowledge it. What it didn’t acknowledge or tell was the count of users affected by this. And now, a new data has surfaced saying as many as 68 Million users were impacted.
This data comes from LeakedSource, a data breach index service. LeakedSource analyses notes that the the data stolen in 2012 included details for 68,680,741 users in the format of “email:password_hash.” The password string was hashed using two algorithms: bcrypt and SHA1. 31,865,280 passwords were hashed with bcrypt and SHA1 was used for the rest 36,815,461 passwords.
“Looks like SHA1 hashes aren’t immediately crackable,” LeakedSource told Softpedia, “similar to Tumblr.” According to the LeakedSource spokesperson, this was because Dropbox used “some unknown salt” to alter the password hash to improve its complexity.
Users were asked to change their password last week by Dropbox
The 2012 incident came to light when Dropbox forced its users to change their passwords last week if they registered before 2012 and never changed it. Dropbox acknowledged the 2012 data breach once again and said it found some old Dropbox user records exchanged online.
“We’ve confirmed that the proactive password reset we completed last week covered all potentially impacted users,” Patrick Heim, Head of Trust and Security for Dropbox, told Softpedia following our inquiry into the data’s authenticity.
“We initiated this reset as a precautionary measure, so that the old passwords from prior to mid-2012 can’t be used to improperly access Dropbox accounts. We still encourage users to reset passwords on other services if they suspect they may have reused their Dropbox password.”
The Dropbox data isn’t available on Dark Web marketplaces and has already been circulated among data hoarders. Since the data is thrown around so easily, one can assume it is useless.
“For the most part until we (or someone else) figures out how they [the passwords] were hashed, the database is useless other than knowing who registered for Dropbox for [sending]spam emails,” LeakedSource added.
In case, you registered before 2012, do change the password before some hacker get around the compressed strings.