IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

68 million Dropbox credentials leak online

Old hack from 2012 linked to fresh usernames and passwords data dump

Hacker overlooking a city

More than 68 million Dropbox customers' usernames and passwords have been leaked after a four-year-old hack, it has emerged.

The stolen credentials date back to mid-2012, and Dropbox acknowledged last week that it was forcing some customers to reset their passwords if they have not changed it since that period.

However, today breach notification service Leakbase told Motherboard it has obtained four 5GB files filled with 68,680,741 Dropbox users' credentials.

Dropbox confirmed to IT Pro that more than 60 million accounts have been affected - around two-thirds of the company's userbase back in 2012.

"We can confirm that the scope of the password reset we completed last week did protect all impacted users," said Dropbox's head of trust and security Patrick Heim in a statement.

"Our analysis confirms that the credentials are user email addresses with hashed and salted passwords that were obtained prior to mid-2012."

That was a bumper year for hacks - the login information of 117 million users was stolen from LinkedIn, and Tumblr and MySpace also suffered major breaches in a similar period. Many cybercriminals attempted to use password data from these breaches to break into other sites, where users may have recycled their passwords.

At the time, Dropbox said affected accounts were compromised through password reuse, blaming the incident on hacks of other sites that gave hackers credentials they could then try out on victims' Dropbox accounts.

But it also disclosed that the hackers stole a Dropbox employee's credentials, and used them to access "a project document with user email addresses". 

Dropbox today maintained that the 68 million leaked credentials that surfaced today from that old incident were obtained through password reuse, rather that through a breach of its network.

However, security expert Troy Hunt, who specialises in tracking data breaches such as this, told IT Pro that "without a shadow of a doubt, the data was taken from Dropbox's system". He claimed that the leaked database could not have been the result of credential reuse, saying "there's no way this was cobbled together from other sources".

Hunt tested the leaked bcrypt hashes against his wife's unique password that he claims was only stored in a password manager and on Dropbox's servers, saying "you simply can't fabricate this sort of thing". Instead, he said that the data could have been obtained from a backup or a poorly-stored log on Dropbox's own systems.

Dropbox refused to futher clarify the matter, calling it an ongoing security investigation. Hunt was also quick to note that Dropbox customers were not in any immediate danger because of the resiliency of Dropbox's bcrypt hashing algorithm, and praised the way the company dealt with the situation.

Featured Resources

Four strategies for building a hybrid workplace that works

All indications are that the future of work is hybrid, if it's not here already

Free webinar

The digital marketer’s guide to contextual insights and trends

How to use contextual intelligence to uncover new insights and inform strategies

Free Download

Ransomware and Microsoft 365 for business

What you need to know about reducing ransomware risk

Free Download

Building a modern strategy for analytics and machine learning success

Turning into business value

Free Download

Recommended

Ten ways to protect your company from the next big data breach
data breaches

Ten ways to protect your company from the next big data breach

18 Feb 2022
Gumtree site code made personal data of users and sellers publicly accessible
data protection

Gumtree site code made personal data of users and sellers publicly accessible

16 Dec 2021
Pizza chain exposed 100,000 employees' Social Security numbers
data breaches

Pizza chain exposed 100,000 employees' Social Security numbers

19 Nov 2021
83% of critical infrastructure companies have experienced breaches in the last three years
cyber security

83% of critical infrastructure companies have experienced breaches in the last three years

11 Nov 2021

Most Popular

Russian hackers declare war on 10 countries after failed Eurovision DDoS attack
hacking

Russian hackers declare war on 10 countries after failed Eurovision DDoS attack

16 May 2022
Researchers demonstrate how to install malware on iPhone after it's switched off
Security

Researchers demonstrate how to install malware on iPhone after it's switched off

18 May 2022
Windows Server admins say latest Patch Tuesday broke authentication policies
Server & storage

Windows Server admins say latest Patch Tuesday broke authentication policies

12 May 2022