Hacker Selling 68 Million Stolen Dropbox User Accounts on Dark Web

The stolen Dropbox data is now available for sale on the dark web — Yet another blow to the online file hosting and storage giant.

On 31st August 2016, unknown hackers leaked 68 million Dropbox user accounts including login emails and encrypted passwords from a breach that took place in 2012. Initially, the leaked data was accessible to several breach notification sites such as Hacked-DB, LeakedSource, and HaveIbeenPwned, but now a vendor going by the online handle of “DoubleFlag” is selling the same DropBox data on a dark web marketplace known as TheRealDeal.

The data is being sold for BTC 02.000 (1209.38 US Dollar). The total number of accounts offered for sale are 68,679,804 which includes emails and encrypted passwords. There are 36,814,524 passwords that are encrypted with Secure Hash Algorithm 1 (SHA-1), 36,814,524 passwords are Brute force salt while 31,865,280 are encrypted with Blowfish encryption algorithm.

Remember, Blowfish is vulnerable to birthday attack, brute force salt is a random string added to a hash function to increase the security of decryption trys.

Must Read: Dropbox users hit with ‘urgent, highly confidential’ docs download phishing scam


HackRead got in touch with the vendor who also shared 1000 Dropbox users’ data as a sample that shows email accounts from several email domains linked with the accounts and almost every user are also using the same email for their Facebook accounts.


We also contacted data breach notification company Hacked-DB and asked if these password hashes are easily crackable and according to them,

“It depends on the actual password complexity. SHA1 can be decrypted by using offline or online tools such as HashKiller.

This is not the first time when such a massive amount of data went up for sale days after it was leaked. In fact, 2016 has been a bad year for tech and social media giants.

Must Read: Chinese Group ‘Admin338’ Use DropBox To Deliver Their Payload

Earlier this year, hackers stole and sold 427 Million MySpace passwords on the same dark web marketplace; in May 2016, 117 million LinkedIn and 33 million Twitter login credentials and were listed on a dark web marketplace for sale.

Bad times for Dropbox just when they thought the nightmare was over… but it ain’t over till it’s over.

Related Posts