Online cloud storage firm Dropbox has been hacked, with over 68m users’ email addresses and passwords leaked on to the internet. The attack occured in 2012. At the time Dropbox reported a collection of user’s email addresses had been stolen. It did not report that passwords had been stolen as well.
The dump of passwords came to light when the database was picked up by security notification service Leakbase, which sent it to Motherboard.
Hunt said: “There is no doubt whatsoever that the data breach contains legitimate Dropbox passwords, you simply can’t fabricate this sort of thing.”
Dropbox sent out notifications last week to all users who had not changed their passwords since 2012. The company had around 100m customers at the time, meaning the data dump represents over two-thirds of its user accounts. At the time Dropbox practiced good user data security practice, encrypting the passwords and appears to have been in the process of upgrading the encryption from the SHA1 standard to a more secure standard called bcrypt.
Half the passwords were still encrypted with SHA1 at the time of the theft.
“The bcrypt hashing algorithm protecting [the passwords] is very resilient to cracking and frankly, all but the worst possible password choices are going to remain secure even with the breach now out in the public,” said Hunt. “Definitely still change your password if you’re in any doubt whatsoever and make sure you enable Dropbox’s two-step verification while you’re there if it’s not on already.”
The original breach appears to be the result of the reuse of a password a Dropbox employee had previously used on LinkedIn, the professional social network that suffered a breach that revealed the password and allowed the hackers to enter Dropbox’s corporate network. From there they gained access to the user database with passwords that were encrypted and “salted” – the latter a practice of adding a random string of characters during encryption to make it even harder to decrypt.
Dropbox reset a number of users’ passwords at the time, but the company has not said precisely how many.
Adapted from the Guardian