Hackers have stolen over 68 million account details from popular cloud storage platform Dropbox, a report has revealed.
The latest entry to the roster of mega-breaches sees the revelation of a massive compromise of Dropbox user accounts. Altogether, over 68 million user account details were compromised, stemming from a 2012 breach. Late last week, Dropbox announced a mandatory password reset for a number of user accounts, specifically those created during or before mid-2012, when the breach occurred. While Dropbox did not reveal the number of accounts facing mandatory resets, the decision to reset passwords was taken out of precaution, Dropbox wrote recently.
The cloud storage provider had stated:
Our security teams are always watching out for new threats to our users. As part of these ongoing efforts, we learned about an old set of Dropbox user credentials (email addresses plus hashed and salted passwords) that we believe was obtained in 2012. Our analysis suggests that the credentials relate to an incident we disclosed around that time.
Based on our threat monitoring and the way we secure passwords, we don’t believe that any accounts have been improperly accessed. Still, as one of many precautions, we’re requiring anyone who hasn’t changed their password since mid-2012 to update it the next time they sign in.
However, a report by Motherboard has now revealed that the breach has affected a staggeringly large number of users. The publication obtained a number of files containing email addresses and hashed passwords from Dropbox users affected during the breach. A total of four files, weighing around 5GB, contained details on a total of 68,680,741 Dropbox accounts.
Notably, Motherboard also cites a senior Dropbox employee who remained unnamed, to confirm that the data is legitimate.
The data dump also threw up some insights into the type of password algorithms used by Dropbox in 2012. Nearly 32 million passwords were secured using bcrypt – a commonly used resolute hashing function. As a result, it is highly unlikely that malicious hackers or cybercriminals who obtain the data would be able to obtain the affected users’ actual passwords. The rest of the passwords are hashed with an aging SHA-1 algorithm. These passwords appeared with a salt to reinforce the password hashing process with a random string as a means to strengthen the password.
While one hacker told Motherboard that he or she had already gained possession of the data dump, it hasn’t surfaced in major dark web marketplaces, where such dumps are usually found. Fortunately, the bcrypt hashing function adequately secures passwords, diminishing their value in the cybercriminal market.
Featured image from Shutterstock.