Dropbox confirms massive breach of account credentials, but denies improper access
02 Sep 2016
Dropbox recently revealed that a massive leak of user credentials in 2012 was discovered on the dark web, but the number of affected accounts is said to be way beyond the initial estimate.
The company protected its user passwords by hashing and salting them, meaning that hackers who had come by the hashed files that belonged to Dropbox's users were not able to crack them.
However, Tech Times cited sources as claiming more information was taken from Dropbox than the company had admitted publicly at first. In addition to the leak of Dropbox user emails, a significant number hashed passwords associated with the affected emails had got into the hands of hackers.
According to Motherboard, the credentials of 68,680,741 Dropbox users were compromised in the leak.
At the time of the hack, Dropbox was enforcing "bcrypt", a more robust hashing method than the standard algorithm of the time, dubbed SHA-1. Of the stolen passwords, bcrypt was said to be used to hash 32 million.
Despite the security breach, Dropbox had registered a significant user base expansion during over the past years.
In November 2012, the company chief, Drew Houston, affirmed doubling of its number of user accounts, exceeding 100 million. The company also recently reported a significant increase, counting as many as 500 million users.
Last week, Dropbox users received emails saying customers who signed up for the service prior to mid-2012, and had not changed their password since then, would be forced to do so the next time they signed in. In an FAQ webpage, which it provided at the time on the reset process, the company stated that the measure was "purely preventative."
Meanwhile, the company said, "The list of email addresses with hashed and salted passwords is real, however we have no indication that Dropbox user accounts have been improperly accessed. We're very sorry this happened and would like to clear up what's going on."