Skip to main content

A hack from 2012 haunts Dropbox as details emerge on 68 million accounts

Dropbox Notes
aradaphotography/Shutterstock
Last week Dropbox advised users with accounts from around or before 2012 to change their passwords. That’s because a hack around four years ago compromised some 68 million accounts, and it’s only now that the extent of the attack is becoming clear.

Dropbox knew of the original hack, reports Motherboard, but was not aware of the scale. The site said it obtained a 5GB copy of the compromised data that contained email addresses and hashed passwords of more than 68 million accounts. An unnamed “senior Dropbox employee” verified the authenticity of the data.

Related Videos

At the same time Troy Hunt, the security pro behind haveibeenpwned.com, backed up these claims. He wrote that this database is not a collection of credentials that just happen to work on Dropbox but rather the result of a very real hack.

“There is no doubt whatsoever that the data breach contains legitimate Dropbox passwords, you simply can’t fabricate this sort of thing,” he said, but added that he believed Dropbox were handling the situation very well by force resetting users’ passwords.

Patrick Heim, Dropbox’s head of trust and security, said all potentially affected users have been notified. He stated it was a precautionary measure, but did not specify how many passwords were reset by the company.

It was in a later statement that Dropbox clarified: “We can confirm that based on our intelligence number we have seen is in the 60+ mil range.”

Heim further warned users to change their passwords on other sites if they have reused their Dropbox credentials, and even if they use two-factor verification. The company added that it has seen no evidence of malicious activity on affected accounts.

The passwords that were stolen were hashed to protect them from being revealed to an attacker. However, they were not all hashed equally. Reportedly, 32 million of 68 million passwords were hashed by bcrypt, which is considered quite strong, but the remainder were hashed with SHA-1, which is gradually becoming outdated and easier to crack.

If you’re a Dropbox user that had an account in 2012, you should have received a password reset notification. If not, you may want to change your password anyway to be on the safe side, and certainly change any re-used passwords on other sites.

Editors' Recommendations

How to tell if your smartphone has been hacked
Kids playing on a smartphone.

Smartphones have profoundly changed the way people live, communicate with each other, and keep themselves entertained. But like everything else, there's a downside. Corrupt people always want what doesn't belong to them, and devise elaborate criminal methods to get what they want and make everyone else miserable. When thieves hack smartphones, they take more than possessions -- they steal information, money, identity, and -- in some cases -- reputation, all of which can destabilize and endanger the target's health and well-being.

Don't bother expending any effort to identify the hacker. While it's possible to find out who broke into your phone, most of these searches wind up failing. That's because most phone hackers operate on the dark web and behind proxy servers. They specialize in covering their tracks. Most cyberattacks and phone hacks are carried out via malware, anyway, so despite how personal it may feel, mostly it's not personal at all.

Read more
Use this trick to make your online accounts super secure
A group of people sitting at a desk looking at 1Password displayed on a screen.

We do just about everything online today, and in the digital age, having good passwords for your accounts isn’t sufficient anymore — and if you’re still using the same login credentials for multiple accounts, then it’s definitely time to upgrade your security setup. An easy way to do that is with a password manager that makes it simple to create and organize secure access codes for all of your accounts, but even that might not be enough to guard your sensitive personal and financial information from prying eyes. Instead, we recommend 1Password, a unique account manager that does more than just organize your logins. It also takes online security to a whole new level by letting you keep all of your accounts completely separate.

Your typical password manager can generate and organize unique credentials for your accounts (sort of like a digital key ring), but 1Password takes things a step further. With 1Password, you get not only a unique, strong passcode for every account, but the app also generates a unique email address as well. When signing up for a new account somewhere or updating some you already have, you simply create a new 1Password-generated email string and password, set up two-factor authentication, and use this new “sock” email and passcode to register. Your real information is kept private, and access codes are securely backed up in your 1Password account, for which you have a master password — the only one you need to remember.

Read more
Hackers just stole personal data from millions of Acer customers
acer swift 3 13 2019 review acerswift3132019

Acer has just confirmed that its servers were beached by a group of hackers called Desorden. The hackers managed to steal over 60 gigabytes worth of data containing sensitive information about millions of Acer's customers.

The compromised information includes the names, addresses, and phone numbers of several million clients, but also restricted corporate financial data.

Read more