Hackers managed to steal over 68 million user email address and password combinations from Dropbox during a hack that occurred in 2012.
Although Dropbox warned users about a “small number” of stolen user credentials at the time, the scope of the attack only came to light Wednesday thanks to a report by Motherboard.
According to the report, Motherboard obtained a selection of files containing email addresses and passwords linked to Dropbox accounts. The files contained details of 68,680,741 accounts in total.
A senior Dropbox employee confirmed the data’s legitimacy, according to the report. Security researcher Troy Hunt also confirmed the legitimacy of the data dump.
However, Dropbox said it has no indication that user accounts were improperly accessed.
READ MORE: Beginner’s guide to protecting your information online
Earlier this week, Dropbox announced it was forcing users who signed up for the service before 2012 to reset their passwords, calling the move a “preventative measure.”
“Our security teams are always watching out for new threats to our users. As part of these ongoing efforts, we learned about an old set of Dropbox user credentials (email addresses plus hashed and salted passwords) that we believe was obtained in 2012,” read the blog post.
“Based on our threat monitoring and the way we secure passwords, we don’t believe that any accounts have been improperly accessed. Still, as one of many precautions, we’re requiring anyone who hasn’t changed their password since mid-2012 to update it the next time they sign in.”
However, the blog post did not mention how many users were affected by the breach.
Dropbox has assured users that the list of emails and passwords were hashed and salted and not listed in “plain text” – this means the passwords were scrambled using strong encryption and its unlikely hackers would be able to obtain the actual passwords.
READ MORE: Ransomware is on the rise in Canada. Here’s how to protect your data
The report also added that the data does not appear to be listed on any major dark web marketplaces.
According to “Have I been Pwned,” a website dedicated to detailing the Internet’s worst data breaches, the Dropbox hack ranks sixth on the list of the top 10 worst data breaches in history.
In 2014, Dropbox denied reports that an anonymous hacker leaked hundreds of usernames and passwords to Pastebin, an anonymous information sharing website. At the time, the hacker claimed to have compromised up to seven million Dropbox accounts.
In a statement to Global News, Patrick Heim, head of Trust and Security at Dropbox, confirmed that the leaked credentials were obtained prior to 2012.
“We can confirm that the scope of the password reset we completed last week did protect all impacted users. Even if these passwords are cracked, the password reset means they can’t be used to access Dropbox accounts,” said Heim.
“While Dropbox accounts are protected, affected users who may have reused their password on other sites should take steps to protect themselves on those sites. The best way to do this is by updating these passwords.”
- Invasive strep: ‘Don’t wait’ to seek care, N.S. woman warns on long road to recovery
- Ontario First Nation declares state of emergency amid skyrocketing benzene levels
- T. Rex an intelligent tool-user and culture-builder? Not so fast, says new U of A research
- Nearly 200 fossil fuel, chemical lobbyists to join plastic treaty talks in Ottawa
What users need to know
If you signed up for Dropbox before or during 2012, you will likely receive an email from Dropbox prompting you to change your password. Although it does not appear that any accounts have been affected by the data dump, it’s recommended you change your password as soon as possible.
This is also a good opportunity to highlight the importance of creating a secure hard-to-guess password.
Stay away from easy-to-guess passwords like “1,2,3,4″ or “Password” and easy-to-guess identifiers like your dog’s name.
Passwords that use up to ten upper- and lower-case letters mixed with numbers are proven to be more secure – despite being hard to remember.
READ MORE: How to create a more secure password
One tip is to construct a password from a sentence, mix in a few upper case letters and a number, for example, “There is no place like home,” would become “tiNOplh62.”
Numbers included in a password should never be something easy to guess based on the user. That means your age, the current year, or your address are not good choices. Similarly, the longer the password the better.
Comments