A recent hack on Dropbox, the online cloud storage platform, shows that hackers got away with over 60 million account details from the site. Apparently, the hack was done a while back in a previous breach, therefore knowing how many of the Dropbox users are affected will take some time. Dropbox said they had already forced resets of the Dropbox users passwords, and that they already knew about the hack. The true extent of the hack is only coming out now however.
Reporters received files which were contained in the hack which had email addresses in them. The files also contained hashed passwords for the affected Dropbox users, which they got from various sources in the database trading community. The files, four of them, total about 5GB in size and have details of close to 68,680,741 accounts. All the data from the files is completely legit, as it was confirmed by a Dropbox employee who spoke on anonymity because they had not been authorized to speak on the issue.
Dropbox announced earlier this week that the company was forcing password resets from its users after some of them had been affected by a breach which happened back in 2012. The company announced that they had made a proactive move and they did not announce the number of resets they had forced.
During the announcement, the company wrote that its security teams was always making strides in detecting any new threats to users. Due to these security efforts, the security team managed to detect an old set of user credentials which were believed to have been taken from back in 2012. The company also said that they believed the hack was the one they had announced already back in 2012.
Therefore the 60 million user details gotten now are also believed to be linked to that earlier breach. Leakbase, a breach notification service, gave a full dataset of the breach and an analysis showed that there were details for some users who had signed up for Dropbox in 2013 and earlier.
Patrick Heim, the Head of Trust and Security for Dropbox said that he could confirm that the proactive password reset the company had implemented last week ensured that all affected users had been covered. The company had implemented the password reset as a precautionary measure to make sure that passwords obtained in the 2012 breach could not be used now to access any accounts. He also said that he encouraged users to reset any passwords on their other services if they had the habit of using the same password for all services.
Close to 32 million of the passwords are secured by the strong hashing function, the bcrypt. This means that users will not be able to easily access the users passwords and in most cases they won’t even be able to access anything. The rest of the passwords are encrypted with the aging SHA-1 hashing method. The hashes also seemed to have a salting method which allowed them to be strengthened even more. Dropbox has changed its hashing and salting method numerous times after 2012 as they try to keep passwords secure.
The data breach is just one of a few more services which have been discovered during the summer period. Services such as Tumblr, MySpace, LinkedIn, and VK.com have all had data dumps relating to earlier breaches.
If you’re worried about your safety, then go ahead and get yourself a good VPN for an added layer of security. As always, remember to practice good password management.