Dropbox reported a data breach back in 2012. Late last week, it announced that it is forcing a password reset for all users who haven’t updated theirs in the past four years. It said its security teams had discovered a list of Dropbox user credentials obtained during the 2012 breach.
Since that post, Motherboard has published an article revealing that the attack actually led to the theft of over 60 million user accounts. The scale of the hack has only just come to light because the data has turned up online. 5GB of files containing the usernames and passwords for 68,680,741 Dropbox accounts have made an appearance. A “senior employee” of the company confirmed the data is legitimate.
Yesterday, security researcher Troy Hunt, operator of the Have I Been Pwned (HIBP) website, confirmed the attack is real. A supporter of the website, which enables you to enter your email address to see if it’s included in any known data dumps, sent Hunt the Dropbox files available online. The records have all been added to Have I Been Pwned.
The dump consists of four files. One contains email addresses and bcrypt hashed passwords while another contains email addresses and SHA1 hashed passwords. A hash is a string of text that has been cryptographically scrambled with a secret key to make it unusable without the key. The hashing algorithm cannot be reversed. Hunt speculated that two different hashes are included because the data comes from a time when Dropbox was transitioning from the weaker SHA algorithm to bcrypt.
Hunt performed his own verification to ensure the data is legitimate. He searched for his own email address and found it within the data. However, he last changed his password in 2014, so he could not confirm whether the hashed password given in the data is genuine. He repeated the procedure for his wife.
Her email address was also present in the dump and Hunt was able to verify her password. By hashing it using the bcrypt algorithm, he produced a value that should match the hashed password in the data. The two hashes did match, confirming the data is genuine. As a final indicator, his wife’s password is a completely random string of characters generated by a password manager and virtually impossible to guess. “There is no doubt whatsoever that the data breach contains legitimate Dropbox passwords, you simply can’t fabricate this sort of thing,” said Hunt.
Dropbox has now acknowledged that the attack was far more serious than it had first realised. In an update to its original post, it confirmed that the list of 68 million user credentials “is real.” It will force all users who still use their 2012 password to reset it next time they login. It advised users who have the same password across multiple services to change it on them all. Affected individuals will be contacted.
While the data is genuine, there’s no major pressing concern, according to Hunt. The researcher said that the strength of the bcrypt hashing algorithm makes it very unlikely hackers will be able to crack passwords even now they’re publicly available. People with weak passwords are, as always, the most likely to be affected.
Hunt commended Dropbox’s reaction to the breach, noting the company has handled it “really well.” It has taken the appropriate steps at each point in the investigation and used a strong hashing algorithm, something many companies overlook. The company is continuing its investigation into the breach, now a far more serious incident than anyone had thought back in 2012.
