The scope of a compromise of Dropbox four years ago that the company initially said only involved customer email addresses being stolen has now expanded, with more than 68 million user passwords dumped online.
The cache comprises passwords that are hashed with either SHA-1 or bcrypt and none of them are in plaintext. When Dropbox first disclosed the breach in 2012, company officials said that the attackers had taken users’ email addresses and some users were receiving spam on those accounts. The compromise was the result of a Dropbox employee reusing an internal password.
“A stolen password was also used to access an employee Dropbox account containing a project document with user email addresses. We believe this improper access is what led to the spam. We’re sorry about this, and have put additional controls in place to help make sure it doesn’t happen again,” the company said at the time.
Researchers who have analyzed the Dropbox password files have confirmed that they’re authentic.
But now, Dropbox is forcing all of its users who haven’t changed their passwords since mid-2012 to reset them. The company hasn’t provided any further details on why it didn’t detect the theft of the passwords in 2012 or how the passwords were taken.
“Our security teams are always watching out for new threats to our users. As part of these ongoing efforts, we learned about an old set of Dropbox user credentials (email addresses plus hashed and salted passwords) that we believe was obtained in 2012. Our analysis suggests that the credentials relate to an incident we disclosed around that time,” Patrick Heim of Dropbox said of the password dump.
Researchers who have analyzed the Dropbox password files have confirmed that they’re authentic Dropbox credentials. Troy Hunt, who maintains the Have I Been Pwned archive, said half of the passwords were hashed with SHA-1 and half with bcrypt, a much stronger algorithm. He checked a known password that his wife used for Dropbox against a hash of it he found it in the credential dump and found they matched.
Hunt said the way Dropbox handled the passwords makes the credential dump less of a threat to many users.
“As for Dropbox, they seem to have handled this really well. They communicated to all impacted parties via email, my wife did indeed get forced to set a new password on logon and frankly even if she hadn’t, that password was never going to be cracked. Not only was the password itself solid, but the bcrypt hashing algorithm protecting it is very resilient to cracking and frankly, all but the worst possible password choices are going to remain secure even with the breach now out in the public,” Hunt said.