Become a MacRumors Supporter for $25/year with no ads, private forums, and more!

MacRumors

macrumors bot
Original poster
Apr 12, 2001
54,232
16,072



After Dropbox forced a password reset on any user who hadn't changed their login credentials since mid-2012 -- due to a hack faced by the company that year -- new information has surfaced recently detailing the extent of the user data leak.

According to a collection of files obtained by Motherboard, containing the email addresses and hashed passwords of the affected user base, a total of 68,680,741 Dropbox accounts were successfully targeted during the 2012 hack. When Dropbox announced it was going through with the preventative password reset measure last week, the company didn't give any hint as to the extent of the users touched by the four-year-old hack.

dropbox_logo-500x133.jpg

The "incident," as Dropbox refers to it, was a data breach in the summer of 2012 where a few users began reporting spam sent to email addresses connected to a Dropbox account. Due to a password hack connected to other websites, hackers were able to sign in to "a small number" of Dropbox accounts, including an employee's who had access to a document listing an array of user email addresses.

Dropbox is confident its message to users last week has covered "all potentially impacted users," and the company is encouraging users to still reset passwords on other services that have the same login information, particularly passwords, previously used for Dropbox.
"We've confirmed that the proactive password reset we completed last week covered all potentially impacted users," said Patrick Heim, Head of Trust and Security for Dropbox. "We initiated this reset as a precautionary measure, so that the old passwords from prior to mid-2012 can't be used to improperly access Dropbox accounts. We still encourage users to reset passwords on other services if they suspect they may have reused their Dropbox password."
As Motherboard discovered, nearly 32 million of the affected accounts were secured with the strong hashing function bcrypt, "meaning it is unlikely that hackers will be able to obtain many of the users' actual passwords." The other half of the passwords had a slightly less secure SHA-1 aging algorithm and were salted with a random string of characters to further strengthen them. Since 2012, Dropbox has changed up this password and account hashing process several times in attempt to make sure every user remains secure.

Motherboard confirmed that none of the four files, which total 5GB of collected user login data, appear to be anywhere on the dark web. Also, given Dropbox's aggressive measures taken in the past week, their value will continue to "diminish" over time.

Article Link: Dropbox Hack in 2012 Targeted Over 60 Million Accounts
 

SandboxGeneral

Moderator emeritus
Sep 8, 2010
26,482
9,999
Detroit
I haven't yet to date received any spam that was associated with this hack - at least that I know of. I get a few spam emails now and then, but the junk filter gets them. As for the data I stored in Dropbox, it was all protected inside an encrypted container I made so even if my stuff was taken, there wasn't any way anyone could get to it.
 
  • Like
Reactions: smacrumon
Comment

ArtOfWarfare

macrumors G3
Nov 26, 2007
9,283
5,414
What the heck was a Dropbox employee doing with a file containing the login details for 68 million Dropbox users?

Selling it.

Seriously though, I was wondering that exact same thing. I've had access at various companies to download login details, but I've never done that, because why would I?

I feel like the biggest vulnerability at every company that has any user credentials is always a rouge employee.

Anyways - I changed the email account that was connected to my Dropbox account in 2014... does that immediately mean I don't need to worry about anything? (I originally signed up using my college email address, but when I graduated, I stopped using that address and also changed everything that I had previously associated with it another address.)
 
  • Like
Reactions: boston04and07
Comment

MacDawg

Moderator emeritus
Mar 20, 2004
19,824
4,515
"Between the Hedges"
If my account is hacked they will instantly have access to a treasure trove of old 'to do' lists, a few selfies, some outdated resumes a budget that doesn't quite balance and other golden nuggets
[doublepost=1472647884][/doublepost]
What the heck was a Dropbox employee doing with a file containing the login details for 68 million Dropbox users?

Doesn't say he had a file of login details for any users
Rather it says he "had access to a document listing an array of user email addresses"
 
Comment

RetiredTaxman

macrumors newbie
Feb 4, 2016
8
0
County Durham, UK
I am not really sure whether I have changed my Dropbox password since 2012, but my ISP kindly decided to improve its service by discontinuing its email provision, so the account has at a minimum a different email address.
 
Comment

Zirel

Suspended
Jul 24, 2015
2,196
3,008
If my account is hacked they will instantly have access to a treasure trove of old 'to do' lists, a few selfies, some outdated resumes a budget that doesn't quite balance and other golden nuggets

Yes, because Dropbox is only used for that. Enterprise costumers clearly only want Dropbox for that. /s
 
Comment

CFreymarc

Suspended
Sep 4, 2009
3,969
1,149
I feel like the biggest vulnerability at every company that has any user credentials is always a rouge employee.
This is why companies are increasingly becoming compartmentalized in their operations.

When you have a company undergo rapid growth, keeping security is often an afterthought til something goes awry.
 
Comment

muadibe

macrumors 6502
Oct 11, 2010
368
374
What the heck was a Dropbox employee doing with a file containing the login details for 68 million Dropbox users?

It's possible the employee was working on a program which required a subset of data (including email addresses) to work with in testing. Taking a sample of actual email addresses is much easier than coming up with a bunch of fake ones.

I am one of the 68M but I never keep anything important there to begin with. I don't really use the account anymore and will likely be deleting it.
 
Last edited:
Comment

iapplelove

Suspended
Nov 22, 2011
5,324
7,629
East Coast USA
Anybody that thinks online storage will ever be secure is nuts in my mind. Eventually every service will fall to hacking. If you have important dats either encrypt it or keep it off line.

Sadly this is true. Wish I never started using iCloud a few years back when my Mac died. I had no other way of backing up my devices
 
Comment

Nunyabinez

macrumors 68000
Apr 27, 2010
1,758
2,230
Provo, UT
I haven't yet to date received any spam that was associated with this hack - at least that I know of. I get a few spam emails now and then, but the junk filter gets them. As for the data I stored in Dropbox, it was all protected inside an encrypted container I made so even if my stuff was taken, there wasn't any way anyone could get to it.

I am more concerned that if they were able to obtain my dropbox name & password pair, they would go to other sites (like a bank) and try the combination there. I use 1password and try to keep good hygiene on my passwords, but to be honest there are lots of sites that in my laziness I just use the same login information (not my bank.)

And I assume most people are more lazy than me when it comes to passwords.
 
Comment

SandboxGeneral

Moderator emeritus
Sep 8, 2010
26,482
9,999
Detroit
And I assume most people are more lazy than me when it comes to passwords.
I used to be that way too many years ago and then I got into LastPass and that helped me fix that problem in my digital life. I don't use the same passwords on any sites or services anymore.
 
Comment

Jessica Lares

macrumors G3
Oct 31, 2009
9,429
892
Near Dallas, Texas, USA
Both the Sony and Yahoo breaches were pretty similar in password reuse. It doesn't surprise me that people might have had the same password for their Dropbox account around the same time.

Agree with you @MacDawg I had a bunch of little text files and other junk in my account too. Lots of iOS apps have the Dropbox sync APIs.

But yeah, lots of people use it for business too.
 
Comment

0958400

Suspended
Jul 20, 2011
401
716
Sweet. I received three notices. Thank God I had forgotten I tried it. There's something to say about parking your data at companies who do not even tell you the truth when a fallout happens. Bye Dropbox.
 
Comment

Shirasaki

macrumors G4
May 16, 2015
11,694
5,597
Sweet. I received three notices. Thank God I had forgotten I tried it. There's something to say about parking your data at companies who do not even tell you the truth when a fallout happens. Bye Dropbox.
It is human nature to try to cover issues, regardless of scale, before anyone knows it. This Applies on individual, company, and to a greater extent, nations.

If the leak of user data only affects 68 users, not 68m users, we would not even see any media reporting this 68 users data leak.
 
  • Like
Reactions: 0958400
Comment
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.