News Stay informed about the latest enterprise technology news and product updates.

Dropbox passwords breach exposed 68 million users

Confirming that 68 million Dropbox passwords were exposed in 2012, the cloud provider continued to urge users to update their credentials and enable two-factor authentication.

Dropbox Inc. confirmed 68 million user credentials were exposed in a 2012 breach, and it continued to urge users...

to update their passwords, avoid password reuse and enable two-factor authentication.

The cloud storage provider continued to downplay the news, stating that there has been no indication that a breach of Dropbox passwords led to accounts being compromised. Dropbox last week initiated a forced password reset for users who hadn't changed their passwords since 2012. The initial Dropbox breach occurred in 2012, when attackers used stolen passwords from another website to gain entry in Dropbox accounts that reused those same passwords, including the account of a Dropbox employee.

"Since our original post, there have been many reports about the exposure of 68 million Dropbox credentials from 2012. The list of email addresses with hashed and salted passwords is real, however, we have no indication that Dropbox user accounts have been improperly accessed," Patrick Heim, head of trust and security at Dropbox, wrote in an updated blog post.

"Based on our analysis, the credentials were likely obtained in 2012. We first heard rumors about this list two weeks ago and immediately began our investigation. We then emailed all users we believed were affected and completed a password reset for anyone who hadn't updated their password since mid-2012. This reset ensures that even if these passwords are cracked, they can't be used to access Dropbox accounts."

Heim also warned users to avoid reusing passwords across different websites or services, as well as the importance of using strong passwords and enabling two-factor authentication. He also warned users to "please be alert to spam or phishing, because email addresses were included in the list."

Experts weigh in on breach

Meanwhile, security experts were divided over the response and implications of the Dropbox password breach. Matthew Gardiner, cybersecurity strategist at email security company Mimecast in Watertown Mass., told SearchSecurity by email, "It is fair to say that Dropbox is a wide-open hole in many organizations' networks."

"Companies need to arm their employees with secure alternatives to share large files that work at the enterprise level," Gardiner said. "If employees don't have a better option, they end up using a variety of vendors and creating multiple accounts, none of which are being securely monitored."

Others praised the response after reports of the exposure, while pointing to the weaknesses in strategies that rely on passwords. "Dropbox appeared to practice good user data security protections, encrypting the passwords and updating the encryption standards," said Ryan Disraeli, co-founder and vice president of mobile identity firm TeleSign, based in Marina del Rey, Calif. However, he also added that, "once again, we find ourselves in a situation where even when good protections are used, the password alone still falls short. Passwords are just too easy to crack, making additional layers of security extremely vital. While many of the leaked passwords remain encrypted, all but the worst password choices should still remain relatively secure. But, as we've seen, most users do in fact use terrible passwords across many accounts without regularly changing them."

Gardiner noted that file-sharing services like Dropbox pose a threat to organizations when employee accounts are compromised. "Once an account is compromised, it can be used as an attack vector for delivering malicious links to a network," he said. "Although it would look like the email came from someone that the employee knows, it could end up being malware or ransomware that has the potential to take down an organization's entire system."

Adam Levin, chairman and founder of identity protection service IDT911 LLC, based in Scottsdale, Ariz., noted that while most of the exposed Dropbox passwords were likely still secure due to the use of strong hashing, email addresses can still expose sensitive data. "Email addresses are at the foundation of our digital identities, as they often contain significant names and/or numbers, such as your birthday, college or work."

"All of this information becomes tiny breadcrumbs that hackers can use to guess passwords and answer security questions to access even more sensitive information," Levin said. "Email addresses are also frequently used as user IDs for many other accounts, such as financial services or social networking sites, not to mention providing context for various phishing attacks. So, the potential damage is hardly limited to just Dropbox."

Next Steps

Find out more about creating strong passwords and avoiding data breaches.

Read about how password strength meters work and how they can improve password strength.

Learn more about the event in 2012 that may have been the source for the breached Dropbox passwords.

Dig Deeper on Public Cloud Computing Security

PRO+

Content

Find more PRO+ content and other member only offers, here.

Join the conversation

5 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

What did you think of how Dropbox responded to the exposure of users' passwords dating back to 2012?
Cancel
Dropbox is sending mixed signals when they email users to change their password or encourage them to enable MFA while at the same time continuing to downplay the news.
Cancel
I have mixed feelings on this, but I do think end user security would be much improved by greater use of security tokens.
Cancel
“We have no indication that Dropbox user accounts have been improperly accessed.” Seems to be leaving a dangling “yet” out there… At least they’re taking steps to address it four years later.
Cancel
Better late than never?

I do agree that a lot of these fairly safe corporate statements leave out  the "yet." 

I find myself mentally adding the modifier -- doesn't everyone?
Cancel

-ADS BY GOOGLE

SearchSecurity

SearchCloudComputing

SearchAWS

SearchCloudApplications

SearchServerVirtualization

SearchVMware

ComputerWeekly

Close