Cyber Security

Someone Is Already Selling Dropbox User Info On The Dark Net

If you're still using your old Dropbox password anywhere, it's time to change it.

Cyber Security
Illustration: Diana Quach
Sep 01, 2016 at 11:46 AM ET

Days after news broke that Dropbox had been massively hacked in 2012, that user information is now purportedly for sale on a dark net marketplace.

The data for sale seems to be the same as that recently acquired by several researchers: the email addresses of some 68 million customers, complete with hashed, or encoded, passwords. As reported by Motherboard, some of those passwords were hashed with the relatively simple SHA-1 algorithm; others with the more complex BCRYPT. Dropbox has responded by manually resetting the passwords of certain users.

Now, an enterprising data trafficker is trying to sell what they say is that database. For 2 bitcoins ($1,141) a user named doubleflag says, you can have a copy of all 68 million users’ data.

To verify they indeed possessed a huge cache of Dropbox user info, doubleflag sent Vocativ a large list of email addresses and hashed passwords. All 50 email addresses Vocativ tried were indeed included in the known Dropbox breach, according to services like haveibeenpwned and LeakedSource, which allow potentially compromised users to enter their email address and see if they were included in certain known major breaches. Seven of those 50 email addresses were unique to the Dropbox breach.

After providing the sample for verification purposes, doubleflag did not respond to further questions on how they came to possess the user information.

With news that its users had been compromised several years ago, Dropbox joins a host of other sites, including LinkedIn, Tumblr, and MySpace, which reveals that hackers around the globe can access scores of people’s old email addresses and passwords. Even though that information is old, it’s still of significant danger to the public, considering how frequently people reuse passwords across multiple sites. Soon after the LinkedIn and MySpace breaches were openly sold on the dark net, scores of users began reporting that online financial services like PayPal had been compromised. Some criminals apparently used old passwords to access remote desktop services like TeamViewer, allowing them full access to victims’ stored passwords for sites like their bank accounts.

Whether or not you’ve been contacted by Dropbox, the prescription for anyone who’s used any of those sites is the same: Check your email address at one of the aforementioned services, and if any of them have been compromised, change your password everywhere you’ve used it.