Connect with us

Hi, what are you looking for?


Incident Response

68 Million Exposed in Old Dropbox Hack

The email addresses and passwords pertaining to a total of 68,648,009 Dropbox accounts have been compromised following a data breach in 2012.

The email addresses and passwords pertaining to a total of 68,648,009 Dropbox accounts have been compromised following a data breach in 2012.

News of the Dropbox breach emerged several months after a series of mega-breaches were made public, impacting hundreds of millions of users: LinkedIn (167 million), Myspace (360 million), Tumblr (65 million), and VK (170 million). 32 million Twitter accounts were also impacted, but the company said that the issue was password reuse, and not a hack.

The Dropbox incident took place in July 2012, but the number of affected users hasn’t been revealed until now. At the time, Dropbox said that it was investigating complaints from users who were receiving spam at email addresses used only for this service, and that several security measures were taken to ensure accounts weren’t compromised.

The root cause of this breach, Dropbox revealed at the time, was a stolen employee password: “A stolen password was also used to access an employee Dropbox account containing a project document with user email addresses. We believe this improper access is what led to the spam. We’re sorry about this, and have put additional controls in place to help make sure it doesn’t happen again.”

Last week, Dropbox started prompting password resets for the possibly affected users, while also revealing that the move is related to the 2012 incident. The company also confirmed that “email addresses plus hashed and salted passwords” were stolen during the breach, but said that it wasn’t aware of any account being improperly accessed.

With the hacked data being traded online, additional info on the breach started to emerge this week, as the dataset landed at various breach index services, including LeakedSource and Have I Been Pwned. These services have confirmed not only that the hack was real, but also the number of impacted users.

According to Troy Hunt, the man behind Have I Been Pwned, the leaked data includes salted hashes of passwords: half of them SHA1, half of them bcrypt. He notes that the relatively even distribution of the two indicates a transition from SHA1 to bcrypt. He also explains that the bcrypt passwords include the salt, but that the SHA1 don’t. Without the salts, he says, they are nearly impossible to crack.

Advertisement. Scroll to continue reading.

Hunt was able to confirm that the leaked data is legitimate, but says that, considering the manner in which the passwords are stored, “all but the worst possible password choices are going to remain secure even with the breach now out in the public.” However, users should still change their passwords, especially if Dropbox prompted them to do so.

“Based on our threat monitoring and the way we secure passwords, we don’t believe that any accounts have been improperly accessed. Still, as one of many precautions, we’re requiring anyone who hasn’t changed their password since mid-2012 to update it the next time they sign in,” Patrick Heim, Head of Trust & Security for Dropbox, said. Users are also advised to enable two-step verification to ensure increased security.

In an email response to a SecurityWeek inquiry, IT security expert Sorin Mustaca said that the surprising fact is that the 2012 hack of Dropbox didn’t emerge earlier, along with the other mega-breaches. He also notes that the use of the SHA1 hashing algorithm with salting improves the security of these passwords.

“Fortunately, Dropbox was using the SHA 1 hashing algorithm (today this is not considered “strong” anymore) and it was using salting even in 2012 – an operation that many other services don’t do even today. Many are using legacy systems which make use of MD5 without hashing – I guess that the ‘never change a running system’ is still applied literally in many websites,” Mustaca said.

To stay protected, he says, users should create unique passwords for each of the services they use, never reuse passwords, and enable two-factor authentication wherever it is available. Service providers should never store passwords in plain text or encrypted, but should use a strong hashing function with a solid salt.

In an emailed comment for SecurityWeek, Chris Roberts, Chief Security Architect at Acalvio, a Santa Clara, Calif. based provider of advanced threat detection and defense solutions, says that he too is surprised that the details regarding this hack have started to emerge only now.

“That’s an awfully long time to wait before publicly stating that ‘we have an issue’. It’s frustrating that the organization potentially knew of the problem, but didn’t confirm it, as there was no credible evidence that the data was in the wild? It would be good to work out or understand why Dropbox didn’t put its hand up and admit the issue back in 2012. Instead, the company waited 4 years until someone actually dropped the hacked accounts after probably harvesting who knows how much intelligence,” he says.

He too notes that people usually tend to stick to a certain number of passwords or pass phrases, which could potentially impact accounts on other services as well. “If the bad guys know it, you can be sure they have/are/will be testing all those other sites,” Roberts says.

“Changing passwords at this point is probably akin to closing the gate once the horse has bolted. Nevertheless, it’s obviously something that has to happen. Then change them again…just to be sure. I would then recommend that you stick them in a good password manager…and then change that password. I’m not sure that’s going to solve anything, but it’s probably better than most people have or currently use,” Roberts concludes.

Steve Durbin, Managing Director of the Information Security Forum, also says that good password hygiene is critical to both users and service providers. To ensure that their data remains safe even if an account has been compromised, users should back it up offline, he also notes.

“You can outsource storage and access to a third party but you cannot outsource your responsibility for security of your data – stuff happens
and when it hits, it’s the user who loses. Encryption certainly helps, but not if it isn’t the latest and greatest. Expect brute force attacks to break through. One area that consumers need to focus on is passwords. Change them regularly, mix them up, don’t share them and don’t expect them to be 100% effective. Passwords will be lost. They will be stolen. They are not perfect. However, they’re pretty close to the best we’ve got in terms of user acceptability and convenience vs. security,” Durbin says.

In 2012, Dropbox launched a bug bounty program to help make its platform more secure by finding security vulnerabiliities before attackers do. 

Related: Russian Hackers Attack Two U.S. Voter Databases: Reports

Related: User Data Possibly Stolen in Opera Sync Breach

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Incident Response

Microsoft has rolled out a preview version of Security Copilot, a ChatGPT-powered tool to help organizations automate cybersecurity tasks.

Incident Response

Meta has developed a ten-phase cyber kill chain model that it believes will be more inclusive and more effective than the existing range of...

Artificial Intelligence

Two new surveys stress the need for automation and AI – but one survey raises the additional specter of the growing use of bring...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...