Dropbox Dropped In It
Popular cloud storage firm Dropbox was subject to a security breach in 2012 in which more than 68 million users’ email addresses and passwords were stolen.
The full extent of the attack has only just come to light after security notification service Leakbase found the passwords dumped in an online database.
Dropbox sent out notifications last week to all users who had not changed their passwords since 2012.
The company said it had around 100 million customers at the time so the data dump represents more than two-thirds of user accounts.
“This is not a new security incident, and there is no indication that Dropbox user accounts have been improperly accessed,” Patrick Heim, Dropbox head of trust and security, stated. “Our analysis confirms that the credentials are user email addresses with hashed and salted passwords that were obtained prior to mid-2012.
“We can confirm that the scope of the password reset we completed last week did protect all impacted users. Even if these passwords are cracked, the password reset process ensures they can’t be used to access Dropbox accounts. The reset only affects users who signed up for Dropbox prior to mid-2012 and hadn’t changed their password since.
“While Dropbox accounts are protected, affected users who may have reused their password on other sites should take steps to protect themselves on those sites. The best way to do this is by updating these passwords, making them strong and unique, and enabling two-step verification. Individuals who received a notification from Dropbox should also be alert to spam or phishing.”