Earlier in the week, Dropbox forced password resets after stumbling across user credentials online that it believes were stolen in a 2012 breach.
Our security teams are always watching out for new threats to our users. As part of these ongoing efforts, we learned about an old set of Dropbox user credentials (email addresses plus hashed and salted passwords) that we believe were obtained in 2012.
Our analysis suggests that the credentials relate to an incident we disclosed around that time.
You’ll need to update your password if you signed up to use Dropbox before mid-2012 and if you haven’t changed that password since then, Dropbox said.
The next time you visit dropbox.com, you may be asked to create a new password. We proactively initiated this password update prompt for Dropbox users who meet certain criteria.
Motherboard reports that it got its hands on files containing the email addresses and hashed passwords for the data set through what the publication says are sources in the database trading community.
It’s obtained four files – around 5GB in size – that contain details on 68,680,741 accounts. A senior Dropbox employee told Motherboard that the data is legitimate.
You’ll know that your Dropbox credentials were caught up in this theft if you receive an email from Dropbox, at the address on your Dropbox account. Plus, those affected can expect to be prompted to update their password the next time they visit dropbox.com.
Dropbox says this is all purely preventative. It’s seen no indication that accounts have been improperly accessed.
How do I protect my Dropbox account?
Dropbox is advising some security precautions that should sound familiar:
- Update any passwords you use on other sites, and make sure to use only one, unique password per site.
- Make those unique passwords strong. Here’s how.
- Consider turning on two-step verification. Here’s how to do it on Dropbox, and here’s why it’s a great idea.
- Only sign in to your account from secure devices, and always sign out if accessing your account on a non-personal device.
Bryan
Interesting if Dropbox folks already were aware of (and had announced) the 2012 breach that all passwds weren’t reset four years ago. Unless they were indeed reset–then why again now?
Anonymous
“Dropbox hack leads to 68 million passwords dumped online”
Password Hashes (that were salted). Not the same thing as having passwords dumped online.
Paul Ducklin
That kind of depends on how they were salted-hashed-and-stretched. Salting stops a “rainbow table” type lookup attack, so you have to test every password against every candidate in your list. But if your hashing is quick to do, then you may be able to try many millions of passwords a second, even on modest hardware, and so the weaker ones will end up cracked very quickly. Admittedly, that’s not “dumped”, but it’s close.
I wish that companies would include some indication of how much salting-hashing-and-stretching had been used, e.g. “PBKDF2 with HMAC-SHA256 iterated 20,000 times.” Otherwise, “hashing” could mean “a straight MD5.”
Larry M
Don’t you mean “…try many millions of passwords and many millions of salts…”? Millions times millions would take a good deal of time, modest hardware or not.
Paul Ducklin
No. The salt isn’t a secret key. It is stored along with the hash in the password database – it is mixed in with the supplied password before calculating the hash, and its purpose is to ensure that even if two users pick the same password, they get a different final hash.
So, the salt means you need to try to crack each password individually. You can’t create a big dictionary of password-to-hash mappings first.
It’s all explained very neatly (if I do say so myself) here:
https://nakedsecurity.sophos.com/2013/11/20/serious-security-how-to-store-your-users-passwords-safely/