A breach disclosed by Dropbox in 2012 has resulted in the theft of usernames and hashed and salted passwords of over 60 million users.
At the time, the company did not give the impression that the breach was so extensive – either their investigation did not discover the whole extent of it, or the company chose not to disclose it.
In any case, last week Dropbox announced it will be forcing a password update on users who signed up for the service prior to mid-2012 and haven’t changed their password since then.
“Our security teams are always watching out for new threats to our users. As part of these ongoing efforts, we learned about an old set of Dropbox user credentials (email addresses plus hashed and salted passwords) that we believe was obtained in 2012,” Patrick Heim, Head of Trust & Security for Dropbox, explained in a blog post.
He added that they don’t believe that any accounts have been improperly accessed, but again did not share say just how many user credentials have been stolen.
The number has finally been revealed by Motherboard, and the legitimacy of the data confirmed by an unnamed senior Dropbox employee.
The publication obtained the full set of compromised credentials, and found that some 32 million passwords have been secured with bcrypt, and the rest with SHA-1 + salt. This means that attackers will be having a difficult time getting at the passwords underneath – if they are not predictable and short.
“The Dropbox dump does not appear to be listed on any of the major dark web marketplaces where such data is often sold: the value of data dumps typically diminishes when passwords have been adequately secured,” noted Motherboard’s Joseph Cox.
The legitimacy of the data has also been confirmed independently by security researcher Troy Hunt, who trawled the data for his wife’s record, checked whether the bcrypt-hashed password corresponds to her (complex) plaintext one from early 2012, and found that it does.
He commended Dropbox on how they handled the situation.
“They communicated to all impacted parties via email, my wife did indeed get forced to set a new password on logon and frankly even if she hadn’t, that password was never going to be cracked,” he noted.
“Not only was the password itself solid, but the bcrypt hashing algorithm protecting it is very resilient to cracking and frankly, all but the worst possible password choices are going to remain secure even with the breach now out in the public. Definitely still change your password if you’re in any doubt whatsoever and make sure you enable Dropbox’s two-step verification while you’re there if it’s not on already,” he concluded.