On Thursday night, I was among many longtime Dropbox users who received an email stating that passwords that hadn’t been changed since mid-2012 would be reset. When I asked around, I was told that this was just precautionary, as it said in the email.
While there were account details that were obtained and released in 2012, Dropbox said that these were logins reused from other sites breached at the same time.
Today, Joseph Cox of Vice explains that the breach was much worse than previously reported:
Motherboard obtained a selection of files containing email addresses and hashed passwords for the Dropbox users through sources in the database trading community. In all, the four files total in at around 5GB, and contain details on 68,680,741 accounts. The data is legitimate, according to a senior Dropbox employee who was not authorized to speak on the record.
This is pretty awful, and Dropbox didn’t help matters by being less than forthcoming. However, it was very effective for them to reset passwords on affected accounts — the database isn’t being sold on dark markets because it’s effectively worthless now — and the passwords were hashed with a very secure method.
Thanks to Allen Tan.
Update: Samuel Gibbs, the Guardian:
The original breach appears to be the result of the reuse of a password a Dropbox employee had previously used on LinkedIn, the professional social network that suffered a breach that revealed the password and allowed the hackers to enter Dropbox’s corporate network. From there they gained access to the user database with passwords that were encrypted and “salted” – the latter a practice of adding a random string of characters during encryption to make it even harder to decrypt.