Dropbox Hack in 2012 Targeted Over 60 Million Accounts

Discussion in 'iOS Blog Discussion' started by MacRumors, Aug 31, 2016.

  1. MacRumors macrumors bot


    Apr 12, 2001

    After Dropbox forced a password reset on any user who hadn't changed their login credentials since mid-2012 -- due to a hack faced by the company that year -- new information has surfaced recently detailing the extent of the user data leak.

    According to a collection of files obtained by Motherboard, containing the email addresses and hashed passwords of the affected user base, a total of 68,680,741 Dropbox accounts were successfully targeted during the 2012 hack. When Dropbox announced it was going through with the preventative password reset measure last week, the company didn't give any hint as to the extent of the users touched by the four-year-old hack.


    The "incident," as Dropbox refers to it, was a data breach in the summer of 2012 where a few users began reporting spam sent to email addresses connected to a Dropbox account. Due to a password hack connected to other websites, hackers were able to sign in to "a small number" of Dropbox accounts, including an employee's who had access to a document listing an array of user email addresses.

    Dropbox is confident its message to users last week has covered "all potentially impacted users," and the company is encouraging users to still reset passwords on other services that have the same login information, particularly passwords, previously used for Dropbox.
    As Motherboard discovered, nearly 32 million of the affected accounts were secured with the strong hashing function bcrypt, "meaning it is unlikely that hackers will be able to obtain many of the users' actual passwords." The other half of the passwords had a slightly less secure SHA-1 aging algorithm and were salted with a random string of characters to further strengthen them. Since 2012, Dropbox has changed up this password and account hashing process several times in attempt to make sure every user remains secure.

    Motherboard confirmed that none of the four files, which total 5GB of collected user login data, appear to be anywhere on the dark web. Also, given Dropbox's aggressive measures taken in the past week, their value will continue to "diminish" over time.

    Article Link: Dropbox Hack in 2012 Targeted Over 60 Million Accounts
  2. Mascots macrumors 68000


    Sep 5, 2009
  3. SandboxGeneral Moderator emeritus


    Sep 8, 2010
    I haven't yet to date received any spam that was associated with this hack - at least that I know of. I get a few spam emails now and then, but the junk filter gets them. As for the data I stored in Dropbox, it was all protected inside an encrypted container I made so even if my stuff was taken, there wasn't any way anyone could get to it.
  4. wizard macrumors 68040

    May 29, 2003
    Anybody that thinks online storage will ever be secure is nuts in my mind. Eventually every service will fall to hacking. If you have important dats either encrypt it or keep it off line.
  5. coolfactor macrumors 601

    Jul 29, 2002
    Vancouver, BC CANADA
    What the heck was a Dropbox employee doing with a file containing the login details for 68 million Dropbox users?
  6. ArtOfWarfare macrumors G3


    Nov 26, 2007
    Selling it.

    Seriously though, I was wondering that exact same thing. I've had access at various companies to download login details, but I've never done that, because why would I?

    I feel like the biggest vulnerability at every company that has any user credentials is always a rouge employee.

    Anyways - I changed the email account that was connected to my Dropbox account in 2014... does that immediately mean I don't need to worry about anything? (I originally signed up using my college email address, but when I graduated, I stopped using that address and also changed everything that I had previously associated with it another address.)
  7. MacDawg macrumors Core


    Mar 20, 2004
    "Between the Hedges"
    If my account is hacked they will instantly have access to a treasure trove of old 'to do' lists, a few selfies, some outdated resumes a budget that doesn't quite balance and other golden nuggets
    --- Post Merged, Aug 31, 2016 ---
    Doesn't say he had a file of login details for any users
    Rather it says he "had access to a document listing an array of user email addresses"
  8. RetiredTaxman macrumors newbie

    Feb 4, 2016
    County Durham, UK
    I am not really sure whether I have changed my Dropbox password since 2012, but my ISP kindly decided to improve its service by discontinuing its email provision, so the account has at a minimum a different email address.
  9. Zirel Suspended


    Jul 24, 2015
    Yes, because Dropbox is only used for that. Enterprise costumers clearly only want Dropbox for that. /s
  10. Sunny1990 Suspended


    Feb 13, 2015
  11. CFreymarc Suspended

    Sep 4, 2009
    This is why companies are increasingly becoming compartmentalized in their operations.

    When you have a company undergo rapid growth, keeping security is often an afterthought til something goes awry.
  12. muadibe, Aug 31, 2016
    Last edited: Aug 31, 2016

    muadibe macrumors 6502

    Oct 11, 2010
    It's possible the employee was working on a program which required a subset of data (including email addresses) to work with in testing. Taking a sample of actual email addresses is much easier than coming up with a bunch of fake ones.

    I am one of the 68M but I never keep anything important there to begin with. I don't really use the account anymore and will likely be deleting it.
  13. WBRacing macrumors 65816


    Nov 19, 2012
    That isn't what the article said.
  14. iapplelove macrumors 601


    Nov 22, 2011
    East Coast USA
    Sadly this is true. Wish I never started using iCloud a few years back when my Mac died. I had no other way of backing up my devices
  15. arggg14 macrumors 6502a

    Dec 30, 2014
    Can someone tell me where I can find "the Dark Web"?
  16. sinsin07 macrumors 68040

    Mar 28, 2009
    The same place you find the "dark side of the force".
  17. technopimp macrumors 6502a

    Aug 12, 2009
    If you have to ask...
  18. Nunyabinez macrumors 68000


    Apr 27, 2010
    Provo, UT
    I am more concerned that if they were able to obtain my dropbox name & password pair, they would go to other sites (like a bank) and try the combination there. I use 1password and try to keep good hygiene on my passwords, but to be honest there are lots of sites that in my laziness I just use the same login information (not my bank.)

    And I assume most people are more lazy than me when it comes to passwords.
  19. SandboxGeneral Moderator emeritus


    Sep 8, 2010
    I used to be that way too many years ago and then I got into LastPass and that helped me fix that problem in my digital life. I don't use the same passwords on any sites or services anymore.
  20. Jessica Lares macrumors G3

    Jessica Lares

    Oct 31, 2009
    Near Dallas, Texas, USA
    Both the Sony and Yahoo breaches were pretty similar in password reuse. It doesn't surprise me that people might have had the same password for their Dropbox account around the same time.

    Agree with you @MacDawg I had a bunch of little text files and other junk in my account too. Lots of iOS apps have the Dropbox sync APIs.

    But yeah, lots of people use it for business too.
  21. 0958400 Suspended

    Jul 20, 2011
    Sweet. I received three notices. Thank God I had forgotten I tried it. There's something to say about parking your data at companies who do not even tell you the truth when a fallout happens. Bye Dropbox.
  22. Shirasaki macrumors G3


    May 16, 2015
    It is human nature to try to cover issues, regardless of scale, before anyone knows it. This Applies on individual, company, and to a greater extent, nations.

    If the leak of user data only affects 68 users, not 68m users, we would not even see any media reporting this 68 users data leak.

Share This Page

21 August 31, 2016