The Dropbox Hack Was A Lot Bigger Than Anticipated

Dropbox has yet to confirm officially the number of affected accounts, despite reports it was up to 70 million

Illustration: Jack Dylan
Aug 31, 2016 at 3:24 AM ET

Here’s the latest proof that virtually nobody seems able to provide adequate user data security: Hackers stole the details of almost 70 million user accounts from Dropbox, the file storage service.

According to Motherboard, hackers first obtained the email addresses and encrypted passwords for 68,680,741 Dropbox accounts in 2012. While Dropbox reported a breach in July of that year, claiming someone had stolen login details from other websites, and used them to log into Dropbox accounts, it never stated how many accounts had been affected.

Last week, Dropbox said it would be asking users who signed up before the middle of 2012 to update their passwords the next time they logged in. The company said in a statement, “We learned about an old set of Dropbox user credentials (email addresses plus hashed and salted passwords) that we believe was obtained in 2012. Our analysis suggests that the credentials relate to an incident we disclosed around that time.” A hashed password has been encrypted using an algorithm. A “salted” password has an additional string of random text attached before it is hashed.

More Teen Allegedly Hacked President’s Website To Change Exam Date

Dropbox said it was merely doing this as a precaution, as “we don’t believe that any accounts have been improperly accessed,” despite its earlier statement that some accounts had been accessed.

As news of the hack’s scale broke, Vocativ discovered hundreds of users urging one another to change their password on Dropbox, and on other platforms where they might have used the same login credentials.

“Shit. My account has been compromised due to the Dropbox hack. Time to change passwords again. :(,” one user wrote on Facebook.

Motherboard discovered four files, totaling 5GB and containing nearly 70 million accounts “through sources in the database trading community.” It said an unnamed senior Dropbox employee verified that the accounts related to the same breach.

Almost half the passwords were encrypted using bcrypt, considered a strong encryption method, Motherboard reported. The rest used an older, weaker method, called SHA-1, but these hashes were appended with a string of text, called a salt, to strengthen them against attacks.

Dropbox joins a growing list of popular platforms that have fallen victim to hackers, most notably Tumblr and LinkedIn, as revealed earlier this year.