Dropbox confirmed that the users’ credentials floating around on dark web are real and belong to an older incident. Motherboard reported that credentials of over 60 million Dropbox users are available online. It is in 4 files at around 4.7 GB of size.
This data is real and was stolen back in 2012 when a stolen password of Dropbox employee led to the mass data breach. This Dropbox use
Earlier this week, Dropbox announced to force reset passwords which have not been changed in past 4 years. Now, yo know the reason behind this decision. The company did not publish the exact numbers of account reset, but this was done proactively.
Good thing is that the leaked data has the password in encrypted form. Nearly 32 million of passwords are secured with bcrypt and hackers will not be able to obtain the actual password. But rest of the passwords used SHA1 with salt. These are also strong hashing but hackers can possibily creare a work around. The attacker would need the salts to decrypt the hashes.
This was also linked to LinkedIn’s data breach. Hacker obtained the password of employee’s password from LinkedIn breach. It is interesting to see how LinkedIn’s data breach was the primary reason for many more breaches and hack including Zuckerberg’s Twitter, Pinterest account hack.
If you are a Dropbox user, enable two factor-authentication for better security of your account and data as well. You should also learn not to reuse a password on other service.
Source: Motherboard
