Millions of Dropbox users are being advised to change their passwords

Yes, hackers did steal account credentials in 2012.

Millions of Dropbox users are being advised to change their passwords

Earlier this year, reports first began to appear that a historic data breach at Dropbox may have exposed tens of millions of user passwords, after a file claiming to contain millions of Dropbox account details was made available for anyone to download.

At the time, security commentators such as Brian Krebs, Troy Hunt and myself urged internet users to be wary of the claims - as they had not been verified.

After all, it seemed possible that the data had been collected from heavily-reported mega breaches at Tumblr, LinkedIn and MySpace.

Now, however, Dropbox has confirmed to the media that a 5GB archive of files, containing the email addresses and hashed passwords for some 68,680,741 accounts, is genuine.

From Dropbox's blog post on the incident:

"Our security teams are always watching out for new threats to our users. As part of these ongoing efforts, we learned about an old set of Dropbox user credentials (email addresses plus hashed and salted passwords) that we believe were obtained in 2012. Our analysis suggests that the credentials relate to an incident we disclosed around that time."

Sure enough, Dropbox did warn that it suffered a security breach back in 2012, and that an undisclosed number of users' email addresses were exposed - although the company made no mention at the time that hashed passwords may also have been put at risk.

Next time you log into Dropbox, the site will prompt you to choose a new password if it believes your credentials were at risk. Of course, it's unlikely that 68 million people will have to do that as many may have already changed their passwords since the breach occurred in 2012.

My advice?

  • Enable two-step verification on your Dropbox account. Whether your Dropbox account has been put at risk or not, this is just a bloody good idea.
  • If you believe you might still be using the same Dropbox password as the one you were using in 2012, change it now. If you believe you might have reused that password anywhere else on the web, change it now.
  • Get out of the habit of reusing the same passwords. It's a recipe for disaster. My recommendation is that you get yourself a decent password manager to generate and securely remember your passwords for you.

The point about not reusing passwords cannot be underlined enough. When Dropbox was breached back in 2012, it appears that their systems were compromised because one of their staff had made the mistake of... yes, you've guessed it... reusing passwords.

From Dropbox's 2012 blog post:

A stolen password was also used to access an employee Dropbox account containing a project document with user email addresses. We believe this improper access is what led to the spam. We’re sorry about this, and have put additional controls in place to help make sure it doesn’t happen again.

And yes, you might well ask why a Dropbox employee might have had such easy access to a file containing users' account details...

For more discussion of the dumped Dropbox data, read this blog post by HaveIBeenPwned's Troy Hunt.

Tags: ,

Smashing Security audio podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

Subscribe to the free GCHQ newsletter

,

5 Responses

  1. Bob

    August 31, 2016 at 1:16 pm #

    Better still use a fully encrypted cloud storage account like: Tresorit, Tarsnap, Tahoe-LAFS or SpiderOak.

    By using a zero-knowledge provider you're taking back control of your data.

  2. Blair S.

    August 31, 2016 at 2:43 pm #

    I've started incorporating the date I created a password in the password so I have some idea how old it is when large hacks like this occur.

    • Bob in reply to Blair S..

      August 31, 2016 at 4:16 pm #

      Surely using a password manager would resolve this problem?

      A good password manager keeps a log of all passwords used for a particular website and the date and time each password was created. It also helps you create extremely secure passwords which you wouldn't be able to memorise (e.g. 8G2Vn9A0@7c9Q#4m753kM1).

      I can't see any benefit in your idea because if you're able to remember such a password then I assume you'd be able to remember roughly when it was created.

      If you're using a password manager then the software will store the date and time it was created making adding the date redundant.

      Is there something I'm missing?

      • Cub in reply to Bob.

        September 1, 2016 at 7:41 am #

        I don't see that option (date when the password was created) in Lastpass. Where is it located?

        • Bob in reply to Cub.

          September 1, 2016 at 12:13 pm #

          I don't use LastPass and you haven't stated what platform you use it on.

          However they do have a "Password Strength" feature which also shows the age of the password in months. Have a look at this screenshot I found:

          http://cdn.makeuseof.com/wp-content/uploads/2014/07/LastPass-Chapter6-lastpass-security-details.jpg?f411a4

          Most good password managers give the full date and time – I'm surprised that LastPass (judging from the linked screenshot) only appears to give the number of months. That's good enough for most people though.

          There's an answered question on the LastPass website which offers you another method of finding the age of your password(s):

          https://lastpass.com/support.php?cmd=showfaq&id=1643

Leave a Reply