The 2012 breach of credentials from Dropbox involved over 68 million user accounts, according to new reports. Dropbox was not particularly forthcoming in its initial response to the breach, which it turns out must have represented most, if not all, of its user accounts at the time.
Motherboard reported on Tuesday that it had obtained files indicating that the credentials of 68,680,471 accounts had been leaked, and that their legitimacy had been confirmed by “a senior Dropbox employee.” The credentials have also since been verified independently by security researcher Troy Hunt, who found that the breached credentials included plain text email accounts and encrypted passwords.
Dropbox said last week in a blog post that users would be forced to reset passwords created before mid-2012 and not changed since. It also reiterated a recommendation that users enable two-step verification, but said that the measures were purely preventative.
Dropbox head of trust and security Patrick Heim said in a statement that there is no indication that any accounts have been accessed, and that the breached passwords were hashed and “salted” with extra characters.
“We can confirm that the scope of the password reset we completed last week did protect all impacted users,” Heim said. “Even if these passwords are cracked, the password reset means they can’t be used to access Dropbox accounts. The reset only affects users who signed up for Dropbox prior to mid-2012 and hadn’t changed their password since.”
Heim also warned users to be aware of the increased risk of phishing or spam, and to breached passwords reused on other sites.
Speaking to Cloud Tech, Kaspersky Lab principle security researcher David Emm lauded Dropbox’s preparation, saying that the password encryption, notice and advice to consumers represent a security step beyond defensive strategies. But in a report on ZDNet, the author says Dropbox’s messaging was off and didn’t convey the seriousness of the issue; “Dropbox, like so many other organizations, is presumably worried that users will be scared away by security breaches, so they soften the language. But experience and research show that when it comes to data breaches, owning up actually increases trust.”