2012 Dropbox Hack Far Worse Than Feared

John Lister's picture

A 2012 hacking incident has turned out to be far worse than initially believed. It turns out that the theft of more than 60 million account details also included passwords.

Online storage company Dropbox admitted to the breach at the time, but only said a list of email addresses of customers had been stolen. It either didn't know or didn't say that passwords were also compromised.

The incident was particularly embarrassing at the time, as the hack proved simple thanks to a Dropbox employee's poor lack of judgement. The employee's LinkedIn password had been stolen as part of a breach at that site, which hackers then correctly used to access on Dropbox. To make things worse, that same employee used Dropbox to store a document with a list of 68,680,741 Dropbox customer emails. (Source: vice.com)

Passwords Also Stolen

It's now emerged that Dropbox may have been particularly careful about the way it explained the breach. While it was technically true that only the email addresses were directly exposed to the hackers, it's now clear they were also able to retrieve customer passwords. However - unlike the email addresses, the passwords were encrypted.

This element of the breach only came to light this week when files appeared on a darknet site used by hackers and criminals. A darknet site is an Internet site that's not directly accessible in a normal web browser without first installing special software.

The good news is that it's unlikely anyone will be able to access the passwords themselves. Around half were encrypted with a secure hash algorithm, a process which makes it extremely time-consuming to crack and decrypt passwords. The rest used a less effective form of hashing, but did also include salt, in which random data is added as part of the encryption process to make decryption more difficult.

Site Resets Unchanged Details

It's not entirely clear when Dropbox management knew that passwords were part of the data stolen in 2012. Last week it carried out a mandatory reset of any account passwords that have not been changed since that time.

In a deeply ironic warning, Dropbox added that "affected users who may have reused their password on other sites should take steps to protect themselves on those sites." (Source: cnet.com)

What's Your Opinion?

If Dropbox knew passwords had been stolen, should they have revealed this? Does it make any difference that the passwords were encrypted? What measures do you take to protect yourself from such massive site breaches?

Rate this article: 
Average: 4.7 (9 votes)


justbluesky8_7743's picture

I have an alphabetical Address Book for keepng favorite links, web sites and passwords.
Usually I invent new passwords so as not to use the same password on more than one site.
I find it easy to use pencil so I can rub out old passwords when they are changed.
If I want to file a site under more than one letter of the alphabet, the second entry dose not include the password and instead is labled "see X" where X refers to where the first entry is made. This simple method ensures passwords only require updating in one place.