News & Blog

68 Million Stolen Dropbox Customer Credentials Leaked 4 Years After Theft

By Francis West on 7th September 2016

The usernames, email addresses and encrypted passwords of an astonishing 68 million Dropbox customers which were stolen in a hack back in 2012 have re-surfaced in a recent leak.

The leak of this vast number of customer credentials was discovered when security notification service Leakbase picked up the database and sent it to technology website ‘Motherboard’.

What Hack?

Back in July 2012 Dropbox, which then had approximately 100 million customers was informed that some of their customers were receiving email at email addresses that were only used for Dropbox. This alerted the company to the fact that a hack had taken place although Dropbox said at the time that usernames and passwords had been stolen from other websites and used to sign in to a small number of Dropbox accounts. The company also admitted however that in addition to taking customer details the hackers had stolen a Dropbox employee's credentials, and then used them to access a project document with user email addresses.

Dropbox then notified users who had not changed their password that year. At the time of the theft Dropbox was also known to be practicing good user data security procedures and was even upgrading the SHA1 standard encryption to the more secure bcrypt standard.

With this leak of Dropbox customer credentials some 4 years later we now know that over two-thirds of Dropbox user accounts had in fact been stolen.

Password Reuse?

The leak of the 68 million credentials has meant that Dropbox are reported to have stuck with the position that password reuse was to blame for the original theft and not any breach of its network.

Some security commentators however have been publicly sceptical of this claim stating that it is unlikely that the full amount of leaked credentials could have been pieced together from other sources. Another explanation that sceptics have put forward is that the data could possibly have been taken from a log on the Dropbox system.

No Danger at the Moment.

It is believed that despite this recent data dump current Dropbox customers are not in any immediate danger because of the very secure bcrypt encryption system, and because of the actions Dropbox took at the time and have taken since the original hack took place.

What Does This Mean For Your Company?

This latest leak, its scale, and the fact that Dropbox were using good security practices at the time shows how essential it is in 2016 that there is tight security at both the user end and the data storing business end. Your online customers for example ideally need very strong passwords, two-step authentication, and no re-use of passwords to feel and be more secure. If you’re storing user password data it may help to use a good and trusted password manager as well as being able to offer up-to-date and very secure encryption. With GDPR on the way in 2018 now would be a good time anyway to make sure that your company data is collected, stored and used in a way that will be totally compliant as well as very secure.