According to reports, hackers have stolen password details of over 60 million accounts of DropBox users, the cloud storage platform.
The accounts were purportedly stolen during a hack that took place in 2012. However, company sources said that they have forcibly reset user passwords.
Though they claimed that they did not know how many users had been affected, they said that only now was the true extent of the hack was coming to their knowledge.
The DropBox Hack
Hackers stole account details of millions of DropBox users in a breach that occurred four years back. Earlier, DropBox reset passwords of those users that hadn’t been changed since the year 2012.
This was done after the company discovered a file that contained salted and hashed passwords obtained during the 2012 hack. The data breach was also seen to be linked with the huge number of accounts that were stolen from LinkedIn.
The company had reported following the incident that they were not sure as to how many users were affected by the hack. The four files that were uncovered totaled about 5 GB in size and contained 68 million account details.
It has been reported by a senior company employee that the data found is legitimate. This fact was also corroborated by the security expert Troy Hunt.
He said that any user could check on the website “Have I Been Pwned” and search if they are a hack victims Another hacker claimed to have direct access to this data already.
According to sources, the company has not published an exact number of the password resets that were made. The hacked details were obtained during the routine watch-out by the company’s security teams for new hack threats targeting users.
When the team intercepted a set of emails addresses and hashed and salted passwords of users, these details were analyzed, and it was found out they were linked to the 2012 hack.
Patrick Heim, the Trust and Security Head for DropBox also mentioned that the forced password reset that the company carried out earlier has covered all the users that were impacted by the data breach.
He added that this move was carried out as a precautionary measure so that passwords set by users prior to mid-2012 are not used to access the DropBox accounts improperly. Users were also asked to reset other accounts’ passwords in case they had used the same passwords as the ones set for DropBox.
This would prompt hackers to try and breach other services and accounts that use the same passwords, they warned. Company sources clarified that the stolen accounts were not the result of any internal breach, but the hack that took place at another site.
A spokesperson for the company said that there had been no evidence of any malicious attempt to access the affected users’ accounts. It was combined with password reuse, and this put the user credentials at stake.
According to reports, about 32 million passwords are strongly encrypted using an extra strong function, bcrypt. This would make it very difficult for anyone to decrypt the encryption and get hold of the users’ actual passwords.
The remaining passwords have been secured with another hashing algorithm SHA-1 or aging algorithm. There is also a salt added to these hashes. This means that a random string is added to every password to strengthen its encryption.
DropBox, on its part, has changed its password hashing process from time to time since 2012 to protect the users’ passwords and strengthen security.
The set of DropBox accounts that was a part of the 2012 hack, however, did not find their way to the dark web where typically most stolen users’ accounts are sold.
However, the data dump’s value reduces if the passwords are strong and secure. The data, in such a case, becomes less valuable to the cybercriminals trading the data.
In this connection, it is interesting to note that this year has witnessed many computer data hack and breaches: Twitter (32 million) and LinkedIn (117 million) were breached earlier in the year. Some of these details were available for sale in the dark web selling forums.