4-Year Old Dropbox Hack Leaked 68 Million Users’ Data

Haven’t updated your Dropbox password in ages? You may want to get on that now. Go on; we’ll wait. Why should you change your password? Well back in 2012, Dropbox disclosed that someone had gained unauthorized access to the account of a Dropbox employee.

The Dropbox security breach occurred because an employee used the same password for an internal system and LinkedIn – which lost 167 million account credentials in a 2012 data breach. Apparently, 2012 was the year of data breaches and Carly Rae Jepsen’s smash hit, “Call Me Maybe” (you know you love that song; admit it).

At the time, Dropbox said that only a project document containing customer email addresses had been taken. As a result, Dropbox users’ email inboxes were flooded with spam, and Dropbox started to take steps towards improving security.

But, it turns out the 2012 Dropbox hack was a bit more serious. How serious? Well, as of August 2016, Dropbox confirmed that 68 million user accounts were leaked online with their associated passwords.

In response, Dropbox performed a mass account reset and prompted users to change their old passwords. They also recommended that users enhance password security by enabling two-step verification.

Dropbox Underestimated the Impact of Data Breach

Why has it taken 4 years to uncover the extent of this breach? The answer: Dropbox underestimated the scale and severity of the hack.

In its recent blog post, Dropbox said it had “no indication that Dropbox user accounts [had] been improperly accessed” following the hack. They first heard rumors about the list of account credentials mid-August 2016 and immediately started investigating.

So, how did this even happen? Well, this is where it gets a bit confusing. Either the passwords were stolen in 2012 when the employee’s project document was taken. Or the passwords were stolen during another massive data breach that recently came to light such as LinkedIn or MySpace. But, based on Dropbox’s blog post, it sounds like the former is most likely.

Your Data Could Be At Risk

Should you be worried? Yes and no. Some passwords in the data spill were hashed, meaning they were encrypted with bcrypt, one of the most sophisticated and secure hashing algorithms. Other passwords, however, were only protected by SHA-1, an older and weaker hashing function.

Dropbox has been in recovery mode and taking preventative measures to improve data security. But, if leaked passwords have remained unchanged since 2012, hackers may have had enough time to crack the hashes and access Dropbox accounts along with any other accounts using the same password.

By resetting affected users’ passwords, Dropbox ensures that even if passwords have been cracked, they can’t be used to access Dropbox accounts. But, if you’ve been using the same password for Dropbox and other accounts, we recommend changing it on all sites.

Whatever you do, remember to switch up your passwords and don’t reuse the same password for every site. We know; it’s so much easier to use one password for all websites. But, you can never be too safe, especially when it comes to sensitive data.

What if this happened to your business? How would your credibility be affected by this loss? 500 million people are on on Dropbox. They can bounce back easily from a security breach, but what about you?

Data is the lifeblood of your business. It only makes sense that you would want to do everything possible to protect it.

Learn how you can protect your data from hidden threats and avoid costly data loss and downtime. Download our guide Security, Manageability, and Reliability: Keys to Safe Data guide below. 

No Comments

Post A Comment