A Dropbox data breach from 2012 has just been uncovered. A dataset including usernames (email addresses) and encrypted passwords has recently been provided to a number of breach notification sites, including LeakedSource, HaveIBeenPwned, and Hacked-DB. The data have also been listed for sale on the hacking marketplace, TheRealDeal. According to the listing, there are 68,679,804 login credentials in the dataset.
Dropbox is now emailing all users affected by the breach urging them to login to their account to change their password. In some cases, but not all, Dropbox has performed a password reset and users will be forced to change their password at their next login.
The data breach occurred around the middle of 2012. The accounts of individuals that have reset their password or created a Dropbox account since August 2012 remain secure. The passwords of individuals who have not performed a password change since the middle of 2012 are likely to be in the hands of criminals.
While a number of mega data breaches uncovered in 2016 have come as a surprise, it did not take long for the Dropbox data breach to be discovered.
Shortly after the cyberattack, users of the site started reporting receiving a high volume of spam emails. A Dropbox investigation concluded that the accounts had been compromised as a result of password sharing. The passwords for users’ accounts were believed to have been obtained in a data breach at another company.
Users at Risk After Dropbox Data Breach
The stolen passwords were encrypted, but that does not mean that they cannot be decrypted. According to HackRead, over half of the passwords were encrypted with SHA-1 (Secure Hash Algorithm 1) and just under half using Blowfish. The former can be cracked using brute force techniques and the latter is susceptible to birthday attacks. However, Leakbase says the passwords were encrypted using bcrypt. If that is the case, the passwords will be much harder to crack. That said, even when bcrypt is used, weak passwords can still be cracked with relative ease.
2012 and 2013 were bad years for data breaches, although it has taken until 2016 to find out just how badly many online services were hit. Earlier this year we discovered that LinkedIn had been hacked and the login credentials of 117 million users had been obtained by hackers. Then there was the colossal breach at MySpace. 427 million passwords were stolen in that attack. The data from a 65-million record breach at Tumblr have also recently been listed for sale.
It is probable that Dropbox data breach of 2012 will not be the last to be uncovered in 2016. In fact, LeakedSource has indicated there will be a number of other large-scale data breaches announced in the next few months, all of which occurred in 2012 and 2013.