Dropbox says the hack was related to a security incident in 2012

Last week, after discovering a file containing salted and hashed passwords of Dropbox users, the online storage giant issued a mass password reset for all those accounts who hadn’t changed their passwords since 2012.

Now, Motherboard reports that in 2012, Dropbox suffered a security breach where attackers stole 68 million usernames and hashed and salted passwords. 

We did learn last week that Dropbox asked its users who had signed up during the first half of 2012 to change their password but the company described it as a preventive measure only. Little did we know that this was part of a bigger threat.

Reports suggest that the hackers accessed and stole more than 60 million account details in the previous data breach. This was not an ordinary or halfhearted breach at all because it was a properly devised, designed and implemented hack attack.

The founder of “Have I Been Pwned? (HIBP)” Troy Hunt explains that it was not just a fraction of data that got hacked but “proper hacked to the tune of 68 million records.”

Dropbox hacked
Sample screenshot shows the leaked data is 100% legit / Source: Troy Hunt

Hunt further stated that there is no doubt about the fact that this data breach is real and the Dropbox passwords obtained by the hackers are “legitimate.”

“You simply can’t fabricate this sort of thing,” says Hunt.

Moreover, Hunt states that the data breach has now reached 68m Dropbox accounts and if searched on his websites, users will get a fair idea about whether their account is protected or not.

Want to know the background story? Read on!

Back in July 2012, the investigation department at Dropbox identified a major data breach involving millions of usernames and hashed and salted passwords from other websites, which were also being used to access Dropbox accounts. The company contacted the affected users and offered help so that their accounts could be protected.

2016 has been a bad year for tech and social media giants. Earlier this year, hackers stole and sold 427 Million MySpace passwords on the dark web; in May 2016, 117 million LinkedIn and 33 million Twitter login credentials and were listed on a dark web marketplace for sale.

If you are a Dropbox user change your password for your own security.

Update:

Dropbox has issued a security notice urging users to change their passwords in case they didn’t since 2012. 

“Since our original post, there have been many reports about the exposure of 68 million Dropbox credentials from 2012. The list of email addresses with hashed and salted passwords is real, however we have no indication that Dropbox user accounts have been improperly accessed. We’re very sorry this happened and would like to clear up what’s going on.

Based on our analysis, the credentials were likely obtained in 2012. We first heard rumors aboutthis list two weeks ago and immediately began our investigation. We then emailed all users we believed were affected and completed a password reset for anyone who hadn’t updated their password since mid-2012. This reset ensures that even if these passwords are cracked, they can’t be used to access Dropbox accounts.

If you signed up for Dropbox before mid-2012 and reused your password elsewhere, you should change it on those services. We recommend that you create strong, unique passwords, and enable two-step verification. Also, please be alert to spam or phishing because email addresses were included in the list.”

Agan Uzunovic

Agan Uzunovic is a Bosnian journalist who is working for the country's largest newspaper. He has a keen interest in reporting on activism and hacktivism. He is also a contributor at U.S based Revolution News media. Agan reports and writes for HackRead on IT security related topics.