Dropbox hack: Cloud storage company hacked, potentially revealing over 60 million passwords

Dropbox has said that there doesn't appear to be anyone who has yet been hacked because of the breach

Andrew Griffin
Wednesday 31 August 2016 10:53 EDT
Comments
Storm clouds are seen in the sky as people sit on Havana's seafront boulevard El Malecon, Cuba
Storm clouds are seen in the sky as people sit on Havana's seafront boulevard El Malecon, Cuba (REUTERS/Enrique de la Osa)

Your support helps us to tell the story

From reproductive rights to climate change to Big Tech, The Independent is on the ground when the story is developing. Whether it's investigating the financials of Elon Musk's pro-Trump PAC or producing our latest documentary, 'The A Word', which shines a light on the American women fighting for reproductive rights, we know how important it is to parse out the facts from the messaging.

At such a critical moment in US history, we need reporters on the ground. Your donation allows us to keep sending journalists to speak to both sides of the story.

The Independent is trusted by Americans across the entire political spectrum. And unlike many other quality news outlets, we choose not to lock Americans out of our reporting and analysis with paywalls. We believe quality journalism should be available to everyone, paid for by those who can afford it.

Your support makes all the difference.

More than 60 million logins apparently belonging to Dropbox users have been spread across the internet.

The cloud storage company has said that there doesn’t appear to be any indication that users have been hacked after the data dump, which compromises the security of many of its users.

The firm has said that it believes that the database – which includes usernames and encrypted passwords – was stolen in a breach in 2012.

The website Motherboard said that it had seen some of the passwords that were stolen during the breach, and are now available for sale online.

Users have been advised to change their passwords if they have been re-used.

A spokesman for Dropbox, which has 500 million registered users worldwide, said: "We can confirm that based on our intelligence, the number we have seen is in the 60-plus million range."

The firm added that it had completed a process of resetting passwords, including through a warning to users who signed up before mid-2012.

Dropbox head of trust and security Patrick Heim said: "This is not a new security incident, and there is no indication that Dropbox user accounts have been improperly accessed.

"Our analysis confirms that the credentials are user email addresses with hashed and salted passwords that were obtained prior to mid-2012.

"We can confirm that the scope of the password reset we completed last week did protect all impacted users.

"Even if these passwords are cracked, the password reset means they can't be used to access Dropbox accounts. The reset only affects users who signed up for Dropbox prior to mid-2012 and hadn't changed their password since."

But Mr Heim warned that people who use the same password for other applications and websites should consider changing them as well.

He said: "While Dropbox accounts are protected, affected users who may have reused their password on other sites should take steps to protect themselves on those sites.

"The best way to do this is by updating these passwords, making them strong and unique, and enabling two-step verification. Individuals who received a notification from Dropbox should also be alert to spam or phishing."

In 2014, the company was forced to deny that it had been hacked after an anonymous account posted what it claimed were the usernames and passwords of millions of the site's users.

An anonymous post to website Pastebin, traditionally used to save text users would like to paste elsewhere later, contained a list of email log-ins and passwords the hacker claimed were linked to Dropbox accounts.

The post claimed that more than 6.9 million Dropbox accounts had been hacked, and that more would be posted if donations of digital currency Bitcoin were made.

The company's spokesman added: "There is no connection between our actions to proactively reset users' passwords last week and the claimed breach in 2014."

Additional reporting by agencies

Join our commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies

Comments

Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in