Hackers stole almost 70 million customer passwords from Dropbox after an employee reused a password
Back in 2012, Dropbox disclosed that someone had managed to gain unauthorised access to a document containing user email addresses.
Then last week, the cloud storage website forced users who had not changed their passwords since then to change them now as a "preventative measure." It turned out that it wasn't just email addresses that were accessed - encrypted user passwords were also stolen.
And now thanks to Motherboard, we know just how many Dropbox users' details have been leaked: A staggering 68 million.
Breach notification site Leakbase provided Motherbord's Joseph Cox with a copy of the 5GB database, containing user 68,680,741 accounts.
And Troy Hunt, a security researcher who specialises in security breaches, also verified the data, writing in a blog post that "there is no doubt whatsoever that the data breach contains legitimate Dropbox passwords, you simply can't fabricate this sort of thing."
(Dropbox has also confirmed the scale of the breach to news outlets.)
So does this mean that if you had a Dropbox account in 2012, hackers now have your password? It's unlikely. The passwords were salted and hashed, a way of encrypting them to make them nonsensical to anyone who might try to use them - with around half using a more modern bcrypt hashing algorithm that is, Hunt says, "very resilient to cracking ... frankly, all but the worst possible password choices are going to remain secure even with the breach now out in the public."
It sounds like that the data was stolen because a Dropbox employee re-used a password they had used on another site - a big security no-no.
In 2012, when the company disclosed the theft of emails (and before it knew that encrypted passwords had also been accessed), it wrote in a blog post that hackers had been using email/password combination from other hacked websites to try and get into Dropbox accounts.
Drew Angerer/Getty Images
When it announced the precautionary password reset last week, it said the passwords were also accessed during that breach: "We learned about an old set of Dropbox user credentials (email addresses plus hashed and salted passwords) that we believe was obtained in 2012. Our analysis suggests that the credentials relate to an incident we disclosed around that time."
Security experts recommend that you should never re-use passwords, instead using a strong, unique password for each site or service you have an account on - using a password manager app to remember them if necessary. That way, if one service you use is hacked, then all your others aren't compromised too.
You can check if your records are in the Dropbox data dump on Have I Been Pwned?, a search engine for data breaches run by Troy Hunt. Enter your email address, and it will tell you if you have been affected - or if your email was found in any previous data dumps, from LinkedIn to MySpace.
NOW WATCH: The best way to use incense in 'Pokémon GO'
- Colon cancer rates are rising in young people. If you have two symptoms you should get a colonoscopy, a GI oncologist says.
- I spent $2,000 for 7 nights in a 179-square-foot room on one of the world's largest cruise ships. Take a look inside my cabin.
- An Ambani disruption in OTT: At just ₹1 per day, you can now enjoy ad-free content on JioCinema
- Vegetable prices to remain high until June due to above-normal temperature
- RBI action on Kotak Mahindra Bank may restrain credit growth, profitability: S&P
- 'Vote and have free butter dosa': Bengaluru eateries do their bit to increase voter turnout
- Reliance gets thumbs-up from S&P, Fitch as strong earnings keep leverage in check
- Realme C65 5G with 5,000mAh battery, 120Hz display launched starting at ₹10,499