MANILA, Philippines – Hackers stole the details of more than 68 million accounts from cloud storage service Dropbox as a result of a 2012 breach, Motherboard reported late Tuesday, August 30 (August 31, Manila time).
Earlier in the week, Dropbox forced password resets for an unspecified number of users after it found account details linked to a breach in 2012.
By Motherboard's count, the files they received were around 5GB in size and had details on 68,680,741 accounts. They were given the full set by breach notification service Leakbase, finding many real users in the dataset who had signed up to Dropbox around 2012 or earlier.
Troy Hunt, administrator of the Have I Been Pwned notification service, independently verified the breach, using data sent to him by a supporter of the site.
Hunt wrote in a blog post, "There is no doubt whatsoever that the data breach contains legitimate Dropbox passwords, you simply can't fabricate this sort of thing."
Motherboard added a senior Dropbox employee, who was not authorized to speak on record, said the data was legitimate.
Patrick Heim, Head of Trust and Security for Dropbox, said in a separate statement, “We've confirmed that the proactive password reset we completed last week covered all potentially impacted users."
"We initiated this reset as a precautionary measure, so that the old passwords from prior to mid-2012 can’t be used to improperly access Dropbox accounts," he added.
Heim also suggested users reset passwords on other services if they suspect they may have reused their Dropbox password.
Motherboard also said that despite the breach, "nearly 32 million of the passwords are secured with the strong hashing function bcrypt, meaning it is unlikely that hackers will be able to obtain many of the users' actual passwords."
"The rest of the passwords are hashed with what appears to be SHA-1, another, aging algorithm. These hashes seem to have also used a salt; that is, a random string added to the password hashing process to strengthen them," the report went on to say. – Rappler.com