Dropbox hacked: Credentials of 68 million users spilled

Dropbox "proper hacked", claims security researcher

Cloud storage company Dropbox, which had reportedly been considering a public share offering in 2017, is believed to have been compromised in a major cyber attack spilling some 68 million personal records.

The incident was uncovered by venerable security researcher Troy Hunt, who claimed that both he and his wife were affected. It comes less than a week after Dropbox sent emails to a number of users suggesting that they update their passwords which, the company said, hadn't been updated for a number of years.

Motherboard was first with the news, but Hunt verified it by checking his own details against a database released by a ‘supporter' of the Have I been pwned? website.

"Motherboard reported on what had been rumoured for some time, namely that Dropbox had been hacked," Hunt explained in a blog post.

"Not just a little bit hacked and not in that ‘someone has cobbled together a list of credentials that work on Dropbox' hacked either, but proper hacked to the tune of 68 million records."

Dropbox said in a blog post last week that anyone with a password created five or more years ago should change it immediately.

"If you signed up for Dropbox prior to mid-2012 and haven't changed your password since, you'll be prompted to update it the next time you sign in," the company said.

"We're doing this purely as a preventive measure, and there is no indication that your account has been improperly accessed. We're sorry for the inconvenience.

"Our security teams are always watching out for new threats to our users. As part of these ongoing efforts, we learned about an old set of Dropbox user credentials (email addresses plus hashed and salted passwords) that we believe was obtained in 2012. Our analysis suggests that the credentials relate to an incident we disclosed around that time."

Old the details might be, but Hunt confirmed that his wife's details were exposed and that her password has not changed since 2012.

"There is no doubt whatsoever that the data breach contains legitimate Dropbox passwords. You simply can't fabricate this sort of thing," he said.

"The only places that password ever existed was in her strongly encrypted 1Password keychain and on Dropbox's servers. It confirms the statement from Dropbox themselves, but this is the kind of thing I always like to be sure of."

Dropbox acknowledged our email, and the problem, but claimed that this was old news.

"This is not a new security incident, and there is no indication that Dropbox user accounts have been improperly accessed," said Patrick Heim, head of trust and security at Dropbox.

"Our analysis confirms that the credentials are user email addresses with hashed and salted passwords that were obtained prior to mid-2012. We can confirm that the scope of the password reset we completed last week did protect all affected users.

"Even if these passwords are cracked, the password reset means they can't be used to access Dropbox accounts. The reset only affects users who signed up for Dropbox prior to mid-2012 and hadn't changed their password since."

The company advised users that, while Dropbox accounts are protected, people who may have reused their password on other sites should take steps to protect themselves on those sites.

"The best way to do this is by updating these passwords, making them strong and unique, and enabling two-step verification. Individuals who received a notification from Dropbox should also be alert to spam or phishing," Dropbox said.