Dropbox last week confirmed that more than 68 million emails and passwords have been compromised from a hack that originally was disclosed in 2012.
Dropbox Drops Other Shoe in Years-Old Data Breach
Exposure from the breach was limited to email addresses, Dropbox originally claimed. However, based on the latest revelations, the hackers actually stole hashed and salted passwords. Even so, there have been no indications that they succeeded in accessing user accounts, the company said.
The firm apologized for the belated release of the information, saying it wanted to clear up the confusion.
“We first heard rumors about this list two weeks ago and immediately began our investigation,” the company said in a statement provided by spokesperson Nick Morris. “We then emailed all users we believed were affected and completed a password reset for anyone who hadn’t updated their password since mid-2012.”
The reset ensures that even if the passwords are cracked, they can’t be used to access Dropbox accounts.
Customers who signed up for Dropbox before mid-2012 with a password they used on other services should change those passwords too, Dropbox recommended.
They should create strong, unique passwords and enable two-step verification, the company urged. They also should be alert to spam or phishing attempts, because email addresses were exposed.
For security reasons, Dropbox could not answer any specifics about investigations into the hack, such as whether any outside security experts or law enforcement agencies have been looking into the breach, Morris told the E-Commerce Times.
Dropbox originally disclosed the hack attack in July, 2012, saying it started getting emails from some users about spam they were receiving at email addresses they only used for Dropbox.
Usernames and passwords stolen from other websites were used to sign into a small number of Dropbox accounts, Aditya Agarwal, vice president of engineering at Dropbox, explained at the time.
A stolen password was used to access an employee Dropbox account that contained a project document with user email addresses, according to the company, which is what led to the spam.
The Dropbox incident is similar to a recent attack on Tumblr, in that the scale of the leak wasn’t apparent for quite some time, observed David Emm, principal security researcher at Kaspersky Lab. The personal information of more than 65 million Tumblr account holders was offered for sale on the dark Web about three years after the original 2013 breach.
“Customers that entrust their private information to an online provider should be able to rest safely in the knowledge that it is kept in a secure manner, and all companies that handle private data have a duty to secure it properly,” Emm told the E-Commerce Times.
Customers can’t take their digital security for granted, he warned. They should use complex passwords and multifactor authentication to guard against threats of this type.