Dropbox hack exposed nearly 70mn users’ credentials

 © dropbox.com
Dropbox confirmed that a four-year-old security breach exposed not only e-mails but also the hashed passwords of some 68 million users. The company however insisted that there was “no indication” the accounts had been “improperly accessed.”

“There have been many reports about the exposure of 68 million Dropbox credentials. The list of email addresses with hashed and salted passwords is real, however we have no indication that Dropbox user accounts have been improperly accessed,” the company said in a press release distributed on Wednesday.

The file hosting service said that millions of surfaced credentials date back to 2012, and had likely been compromised back then. The company claimed it become aware of the list only two weeks ago and received a copy of the hacked accounts list just “several days ago.”

Dropbox initially disclosed the data breach back in 2012. However at the time it did not say that the hackers had been able to pilfer passwords along with users’ email addresses.

A list containing some 68,680,741 account credentials in four 5GB files relating to the four-year-old hack were obtained by security breach notification website Leakbase earlier this week. The files were then independently verified by Motherboard, which concluded that the leaked data is real.

“Nearly 32 million of the passwords are secured with the strong hashing function bcrypt, meaning it is unlikely that hackers will be able to obtain many of the users’ actual passwords. The rest of the passwords are hashed with what appears to be SHA-1, another, aging algorithm. These hashes seem to have also used a salt; that is, a random string added to the password hashing process to strengthen them,” Motherboard said

The authenticity of the files was also verified by security researcher Troy Hunt who after reviewing the leaked files said the company was not just a little, but “proper hacked” four years ago.

“There is no doubt whatsoever that the data breach contains legitimate Dropbox passwords, you simply can't fabricate this sort of thing,” Hunt wrote on his website.

While claiming that none of the accounts had been improperly accessed, the cloud data storage firm sent out emails to all users who haven’t updated their password since mid-2012 or earlier, prompting them to change passwords next time they log into their Dropbox.

To calm down over 500 million people who use the Dropbox services, the company said that it has implemented a broad set of controls including “independent security audits and certifications, threat intelligence, and bug bounties for ethical hackers.”