Skip to main content
  1. Home
  2. Computing
  3. Mobile
  4. News

A hack from 2012 haunts Dropbox as details emerge on 68 million accounts

Jonathan Keane
By

Dropbox Notes
aradaphotography/Shutterstock
Last week Dropbox advised users with accounts from around or before 2012 to change their passwords. That’s because a hack around four years ago compromised some 68 million accounts, and it’s only now that the extent of the attack is becoming clear.

Dropbox knew of the original hack, reports Motherboard, but was not aware of the scale. The site said it obtained a 5GB copy of the compromised data that contained email addresses and hashed passwords of more than 68 million accounts. An unnamed “senior Dropbox employee” verified the authenticity of the data.

At the same time Troy Hunt, the security pro behind haveibeenpwned.com, backed up these claims. He wrote that this database is not a collection of credentials that just happen to work on Dropbox but rather the result of a very real hack.

“There is no doubt whatsoever that the data breach contains legitimate Dropbox passwords, you simply can’t fabricate this sort of thing,” he said, but added that he believed Dropbox were handling the situation very well by force resetting users’ passwords.

Patrick Heim, Dropbox’s head of trust and security, said all potentially affected users have been notified. He stated it was a precautionary measure, but did not specify how many passwords were reset by the company.

It was in a later statement that Dropbox clarified: “We can confirm that based on our intelligence number we have seen is in the 60+ mil range.”

Heim further warned users to change their passwords on other sites if they have reused their Dropbox credentials, and even if they use two-factor verification. The company added that it has seen no evidence of malicious activity on affected accounts.

The passwords that were stolen were hashed to protect them from being revealed to an attacker. However, they were not all hashed equally. Reportedly, 32 million of 68 million passwords were hashed by bcrypt, which is considered quite strong, but the remainder were hashed with SHA-1, which is gradually becoming outdated and easier to crack.

If you’re a Dropbox user that had an account in 2012, you should have received a password reset notification. If not, you may want to change your password anyway to be on the safe side, and certainly change any re-used passwords on other sites.

Editors' Recommendations

Video-editing app LumaFusion to get a Galaxy Tab S8 launch

A tablet featuring the LumaFusion video editing app.

Destructive hacking group REvil could be back from the dead

Person typing on a computer keyboard.

Cash App breach impacts millions of U.S. customers

Cash App for mobile payments.

Online criminals stole nearly $7 billion from people in 2021

A tired man with a laptop in an office.

70,000 Nvidia employees reportedly affected by recent hack

Person typing on a computer keyboard.

With Tesla bleeding money, Elon Musk initiates hardcore spending review

Tesla Model Y front

Best QLED TV deals for May 2022

55 inch samsung uhd 7 series q60 qled 4k tvs amazon deal 49 tv 720x720

How to use Great Runes in Elden Ring

how to pre order elden ring logo

Best Walmart TV deals for May 2022

lg 55 inch oled 4k tvs deal walmart class b8 tv

How to find a village in Minecraft

how to find a village in minecraft

How to unlock the grappling hook in Dying Light 2

Frank from Dying Light 2 talking to Aiden.

How to play co-op in Stranger of Paradise: Final Fantasy Origin

Jack Garland with the Warriors of Light in Final Fantasy Origin.

The best CPU benchmarking software for 2022

A technician placing a CPU into a motherboard socket for a PC.