A cyber attack that targeted Dropbox back in 2012 affected over 68 million users, according to a new report.
Dropbox had previously acknowledged the breach at the time of the hack took place, but has never officially revealed how it happened or how many users were affected.
According to files obtained by Leaked Source and first reported by Motherboard, the data stolen back in 2012 includes the login details of 68,680,741 users.
Motherboard, citing an unnamed Dropbox employee has confirmed the data is legitimate.
The full details of the of the 2012 Dropbox hack is only now coming to light and comes just a week after the company announced it was forcing some users to reset their password.
“Our security teams are always watching out for new threats to our users. As part of these ongoing efforts, we learned about an old set of Dropbox user credentials (email addresses plus hashed and salted passwords) that we believe were obtained in 2012. Our analysis suggests that the credentials relate to an incident we disclosed around that time,” Dropbox said in a blog post.
The 60 million user accounts are now believed to be linked to the 2012 incident.
“We initiated this reset as a precautionary measure, so that the old passwords from prior to mid-2012 can’t be used to improperly access Dropbox accounts. We still encourage users to reset passwords on other services if they suspect they may have reused their Dropbox password”, the company added.
Of the 60 million user passwords, some 32 million were secured with the hashing function bcrypt, which is strong and unlikely to be penetrated by hackers.
However, 36 million of the passwords used the now dated SHA1 hash, which isn’t as secure, although Dropbox did additional encryption which according to Motherboard does not seem to have been breached.
Meanwhile, TechCrunch reports that hackers were able to access Dropbox’s corporate network and steal the 68 million passwords after logging in with a password of a Dropbox employee.
It is believed the unnamed employee used the same password on their own LinkedIn account.
This is significant as LinkedIn was also hacked back in 2012 which resulted in users passwords being stolen just prior to the security breach at Dropbox.
If you want a lesson as to why you should never reuse the same password across multiple online accounts then this is it!
Dropbox told TechCrunch it has since taken measures to ensure employees do not reuse passwords and given all employees access to the 1Password management system to help them create and use strong and secure passwords.
Dropbox recommends anyone who has not updated their password since mid 2012 to do so immediately.
It is also recommended that enable two step authentication on your Dropbox account.