Most of us thought 2015 was the year of the data breach, but then 2016 happened. 2017 has a job to do if it wants to continue the trend
Dropbox hacked: Credentials of 68 million users spilled
In August, cloud storage company Dropbox, which had reportedly been considering a public share offering in 2017, was believed to have been compromised in a major cyber attack spilling some 68 million personal records.
The incident was uncovered by venerable security researcher Troy Hunt, who claimed that both he and his wife were affected. It comes less than a week after Dropbox sent emails to a number of users suggesting that they update their passwords which, the company said, hadn't been updated for a number of years.
Motherboard was first with the news, but Hunt verified it by checking his own details against a database released by a ‘supporter' of the Have I been pwned? website.
"Motherboard reported on what had been rumoured for some time, namely that Dropbox had been hacked," Hunt explained in a blog post.
"Not just a little bit hacked and not in that ‘someone has cobbled together a list of credentials that work on Dropbox' hacked either, but proper hacked to the tune of 68 million records."
Dropbox said in a blog post the previous week that anyone with a password created five or more years ago should change it immediately.
"If you signed up for Dropbox prior to mid-2012 and haven't changed your password since, you'll be prompted to update it the next time you sign in," the company said.
"We're doing this purely as a preventive measure, and there is no indication that your account has been improperly accessed. We're sorry for the inconvenience.
"Our security teams are always watching out for new threats to our users. As part of these ongoing efforts, we learned about an old set of Dropbox user credentials (email addresses plus hashed and salted passwords) that we believe was obtained in 2012. Our analysis suggests that the credentials relate to an incident we disclosed around that time."
Old the details might be, but Hunt confirmed that his wife's details were exposed and that her password has not changed since 2012.
"There is no doubt whatsoever that the data breach contains legitimate Dropbox passwords. You simply can't fabricate this sort of thing," he said.
"The only places that password ever existed was in her strongly encrypted 1Password keychain and on Dropbox's servers. It confirms the statement from Dropbox themselves, but this is the kind of thing I always like to be sure of."
