Just days after Dropbox prompted users to reset passwords as a result of a hack that occurred in 2012, more information has surfaced that showed how massive its impact was. According to a recent report by Motherboard, more than 68 million accounts were affected, where both email addresses and encrypted passwords were leaked.
Dropbox acknowledged the breach at the time it occurred, but it didn't disclose the full extent of the hack. Language used by then-VP of engineering, Aditya Agarwal, also seemed to point to the idea that Dropbox believed only emails were stolen in the attack.
A stolen password was also used to access an employee Dropbox account containing a project document with user email addresses. We believe this improper access is what led to the spam. We're sorry about this, and have put additional controls in place to help make sure it doesn't happen again.
Motherboard was originally provided the information by a company called Leakbase, which gained access to the dataset and sent it to Motherboard. According to Motherboard, it received files "containing email addresses and hashed passwords for the Dropbox users." The four files totaled 5GB in size, and Motherboard reported that a senior Dropbox employee confirmed the legitimacy of the data.
SEE: Information security policy template (Tech Pro Research)
Citing Patrick Heim, head of trust and security for Dropbox, Motherboard noted that last week's password reset likely covered all users who would have been impacted by the breach. Additionally, no malicious activity has been discovered on the accounts, Dropbox told Motherboard.
Hopefully, the impact will be minimal, if there is any impact at all. As noted by several outlets, the passwords that were stolen were encrypted, so they will likely not be able to be used by the hackers.
If you are a user, especially if you have a business account—change your Dropbox password. Even if the passwords are encrypted, it's an easy step to take to protect yourself and your organization.
Perhaps the biggest lesson that enterprise users can learn from all of this is the importance of security hygiene for every employee. The initial 2012 hack occurred because a Dropbox employee was using the same password to log into their corporate account as they were on another site. That password was stolen from the other site, and used to access Dropbox's network. So, encourage your employees to not use the same password across multiple sites, and to change their password often.
The 3 big takeaways for TechRepublic readers
- A new report from Motherboard revealed that the 2012 Dropbox hack affected more than 68 million accounts, leaking email addresses and encrypted passwords.
- The passwords were encrypted, and there doesn't seem to be any malicious activity happening on the affected accounts.
- Dropbox users should reset their passwords, and employees should be sure not to use the same password across multiple accounts and websites.
- Millions of devices are still vulnerable, says researcher who discovered Stagefright (TechRepublic)
- Dropbox prompts users to reset old passwords (ZDNet)
- Free tool helps your IT team assess phishing risks (TechRepublic)
- Dropbox gets hacked ... again (ZDNet)
- How to use Dropbox Version History and save crucial documents (TechRepublic)
Conner Forrest has nothing to disclose. He doesn't hold investments in the technology companies he covers.
Conner Forrest is a Senior Editor for TechRepublic. He covers enterprise technology and is interested in the convergence of tech and culture.