Passwords Revealed in Dropbox Hack
In 2012, Dropbox suffered a security breach resulting in over 68 million users’ email addresses dumped onto the internet. Or so they thought that was the extent of the damage. Now it has surfaced that passwords linked to those accounts have been affected as well.
Recently, a security notification service, Leakbase, came across a database which they passed onto Motherboard. From there, the independent security researcher, Troy Hunt, verified the data by discovering his account details and those of his wife’s.
“There is no doubt whatsoever that the data breach contains legitimate Dropbox passwords,” Hunt said. “You simply can’t fabricate this sort of thing.”
The company had around 100 million customers at the time of the attack, meaning the data dump represents around two-third of their user base. In 2012, Dropbox practiced good user data security, encrypting the passwords. It appears the company was in the middle of upgrading the encryption from the SHA1 standard to a more security standard called, “bycrypt” when the theft took place. Half of the stolen passwords in the database are still encrypted with SHA1.
“The bcrypt hashing algorithm protecting [the passwords] is very resilient to cracking and frankly, all but the worst possible password choices are going to remain secure even with the breach now out in the public,” said Hunt. “Definitely still change your password if you’re in any doubt whatsoever and make sure you enable Dropbox’s two-step verification while you’re there if it’s not on already.”
The hack highlights the need for tight security at both ends of the user experience .The company needs to have a secure place to store the passwords, but the user also needs to know the importance of using unique, strong passwords.
If you’d like to know if your Dropbox account is vulnerable, you can go to haveibeenpwned.com and enter your email address.
If you haven’t already, maybe you should change your Dropbox password, just for good measure.