Dropbox was hacked in middle 2012, leading to an account information dump for 68 million users, according to LeakedSource, a service to search leaked database. Although there is no evidence suggesting that Dropbox user accounts have been improperly accessed so far, and all the stolen passwords were encrypted, users are strongly recommended to take precautions. Dropbox has sent a notification email to users who might be affected, urging them to reset a password as soon as possible.
Dropbox hack leads to a leak for 68M user passwords
The root of this attack can be traced back to 2012, when Dropbox was penetrated and reported a data breach for a number of user accounts. At that time, Dropbox didn’t reveal the exact number of hacked accounts, nor did they mention the leak of user passwords.
Now, the 2012 breach strikes again — a file containing user name and password for more than 68M accounts has been revealed recently. A former Dropbox employee who declined to provide a name has confirmed the authenticity of this file. Troy Hunt, a Microsoft Regional Director, also mentioned in his blog that the account details for his wife and him in that file were real.
Last week, Dropbox started notifying via email to users who had logged in before 2012, recommending them to reset their password next time they log in. The company also posted a follow-up notice advising: ‘If you signed up for Dropbox before mid-2012 and reused your password elsewhere, you should change it on those services. We recommend that you create strong, unique passwords, and enable two-step verification. Also, please be alert to spam or phishing because email addresses were included in the list.’
How do I know if my account was hacked?
Users can visit this site ‘Have i been pwned?’ and enter their email to check their account security. If their account information is on the leaked list, they will see the notification ‘Oh no- Pwned!’
Dropbox indicates that there has been no malicious access to leaked user accounts so far. Also, approximately 32 million of the stolen passwords were encrypted with the strong hashing function ‘bcrypt’, making it unlikely for hackers to get a user’s actual password. A SHA-1 encryption was added to the rest of the passwords. This algorithm adds a random string to the actual password to enhance its security.
Still, users are urged to take action to strengthen their account security, including to reset passwords, to create a unique one, and to enable two-step verification. If they are using the same password for Google, OneDrive or other services, it is strongly recommended to change the password of each service.