Dropbox Acknowledges 68 Million User Passwords Were Leaked In 2012 Data Breach
Last week, Dropbox initiated a password reset for all of its users who haven’t changed their password since mid-2012. The company initially called it only a “preventative measure,” However, on Tuesday afternoon, the company updated its previous announcement to say that 68 million user credentials have been leaked, following the 2012 data breach.
Back in 2012, Dropbox said that an employee’s password was stolen, which then led to the theft of some users’ emails. At the time, Dropbox made no mention of user passwords being stolen as well--just that the users that had their emails stolen may be receiving some spam email. It's likely that the company didn't know the true extent of the hack, as sometimes data breaches happen without leaving much of a trail behind.
“A stolen password was also used to access an employee Dropbox account containing a project document with user email addresses. We believe this improper access is what led to the spam. We’re sorry about this, and have put additional controls in place to help make sure it doesn’t happen again,” said Dropbox in 2012.
The company’s security researchers only recently found out that an old set of user credentials (both emails and passwords) was circulating online. After further analysis, they realized that those credentials may have been leaked in the 2012 data breach incident.
Troy Hunt, an independent security expert who also created HaveIBeenPwned.com (a website that tells people when their emails were included in various data breaches), discovered that 68,648,009 Dropbox accounts were leaked in the wild.
Dropbox confirmed that number yesterday, but it said that it didn’t believe any of the user accounts are at risk because their passwords been encrypted, hashed and salted, which makes them harder to bruteforce. Accounts with common passwords, such as “password” or “1234” are of course more vulnerable to bruteforcing, though.
Although Dropbox said that it believed no user accounts were compromised, whoever had access to the server may also have had access to the encryption key. That would have allowed the attacker to see decrypted passwords while the accounts were in use, according to Tresorit, a company that offers end-to-end encrypted storage for business users.
“Even though the leaked passwords are hashed and not the actual Dropbox passwords, they might possibly be used to access files that are stored on the server. Why? At-rest encryption that stores encrypted files together with encryption keys doesn’t help: those having the hashed passwords may access the files already in a decrypted form,”hypothesized Tresorit.
Last week, Dropbox initiated a password reset for all of its users who haven’t changed their password since mid-2012. The company initially called it only a “preventative measure,” However, on Tuesday afternoon, the company updated its previous announcement to say that 68 million user credentials have been leaked, following the 2012 data breach.
Back in 2012, Dropbox said that an employee’s password was stolen, which then led to the theft of some users’ emails. At the time, Dropbox made no mention of user passwords being stolen as well--just that the users that had their emails stolen may be receiving some spam email. It's likely that the company didn't know the true extent of the hack, as sometimes data breaches happen without leaving much of a trail behind.
“A stolen password was also used to access an employee Dropbox account containing a project document with user email addresses. We believe this improper access is what led to the spam. We’re sorry about this, and have put additional controls in place to help make sure it doesn’t happen again,” said Dropbox in 2012.
The company’s security researchers only recently found out that an old set of user credentials (both emails and passwords) was circulating online. After further analysis, they realized that those credentials may have been leaked in the 2012 data breach incident.
Troy Hunt, an independent security expert who also created HaveIBeenPwned.com (a website that tells people when their emails were included in various data breaches), discovered that 68,648,009 Dropbox accounts were leaked in the wild.
Dropbox confirmed that number yesterday, but it said that it didn’t believe any of the user accounts are at risk because their passwords been encrypted, hashed and salted, which makes them harder to bruteforce. Accounts with common passwords, such as “password” or “1234” are of course more vulnerable to bruteforcing, though.
Although Dropbox said that it believed no user accounts were compromised, whoever had access to the server may also have had access to the encryption key. That would have allowed the attacker to see decrypted passwords while the accounts were in use, according to Tresorit, a company that offers end-to-end encrypted storage for business users.
“Even though the leaked passwords are hashed and not the actual Dropbox passwords, they might possibly be used to access files that are stored on the server. Why? At-rest encryption that stores encrypted files together with encryption keys doesn’t help: those having the hashed passwords may access the files already in a decrypted form,”hypothesized Tresorit.
Dropbox Acknowledges 68 Million User Passwords Were Leaked In 2012 Data Breach
![Dropbox Acknowledges 68 Million User Passwords Were Leaked In 2012 Data Breach]()
Reviewed by saiyadnauman
on
20:07:00
Rating:
![How To Enable Native Call Recording On Samsung Phones [Root]](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhg7KjvChkBVDxxRJTfckbUbB9RtBexMBgb20-MLuDc41tdArnOeaT4Q9t5uM5pwC77GFAXgJy1DU4enkLK1JGvKtwvO64ql3_T3FSp-a2G6WBTuR54gEbvnAFofTauSKFyoovujdIOrvM/s72-c/Native+Call+Recording+On+Samsung+Phones.jpg)
No comments: