Dropbox Inc. confirmed 68 million user credentials were exposed in a 2012 breach, and it continued to urge users...
to update their passwords, avoid password reuse and enable two-factor authentication.
The cloud storage provider continued to downplay the news, stating that there has been no indication that a breach of Dropbox passwords led to accounts being compromised. Dropbox last week initiated a forced password reset for users who hadn't changed their passwords since 2012. The initial Dropbox breach occurred in 2012, when attackers used stolen passwords from another website to gain entry in Dropbox accounts that reused those same passwords, including the account of a Dropbox employee.
"Since our original post, there have been many reports about the exposure of 68 million Dropbox credentials from 2012. The list of email addresses with hashed and salted passwords is real, however, we have no indication that Dropbox user accounts have been improperly accessed," Patrick Heim, head of trust and security at Dropbox, wrote in an updated blog post.
"Based on our analysis, the credentials were likely obtained in 2012. We first heard rumors about this list two weeks ago and immediately began our investigation. We then emailed all users we believed were affected and completed a password reset for anyone who hadn't updated their password since mid-2012. This reset ensures that even if these passwords are cracked, they can't be used to access Dropbox accounts."
Heim also warned users to avoid reusing passwords across different websites or services, as well as the importance of using strong passwords and enabling two-factor authentication. He also warned users to "please be alert to spam or phishing, because email addresses were included in the list."
Experts weigh in on breach
Meanwhile, security experts were divided over the response and implications of the Dropbox password breach. Matthew Gardiner, cybersecurity strategist at email security company Mimecast in Watertown Mass., told SearchSecurity by email, "It is fair to say that Dropbox is a wide-open hole in many organizations' networks."
"Companies need to arm their employees with secure alternatives to share large files that work at the enterprise level," Gardiner said. "If employees don't have a better option, they end up using a variety of vendors and creating multiple accounts, none of which are being securely monitored."
Others praised the response after reports of the exposure, while pointing to the weaknesses in strategies that rely on passwords. "Dropbox appeared to practice good user data security protections, encrypting the passwords and updating the encryption standards," said Ryan Disraeli, co-founder and vice president of mobile identity firm TeleSign, based in Marina del Rey, Calif. However, he also added that, "once again, we find ourselves in a situation where even when good protections are used, the password alone still falls short. Passwords are just too easy to crack, making additional layers of security extremely vital. While many of the leaked passwords remain encrypted, all but the worst password choices should still remain relatively secure. But, as we've seen, most users do in fact use terrible passwords across many accounts without regularly changing them."
Gardiner noted that file-sharing services like Dropbox pose a threat to organizations when employee accounts are compromised. "Once an account is compromised, it can be used as an attack vector for delivering malicious links to a network," he said. "Although it would look like the email came from someone that the employee knows, it could end up being malware or ransomware that has the potential to take down an organization's entire system."
Adam Levin, chairman and founder of identity protection service IDT911 LLC, based in Scottsdale, Ariz., noted that while most of the exposed Dropbox passwords were likely still secure due to the use of strong hashing, email addresses can still expose sensitive data. "Email addresses are at the foundation of our digital identities, as they often contain significant names and/or numbers, such as your birthday, college or work."
"All of this information becomes tiny breadcrumbs that hackers can use to guess passwords and answer security questions to access even more sensitive information," Levin said. "Email addresses are also frequently used as user IDs for many other accounts, such as financial services or social networking sites, not to mention providing context for various phishing attacks. So, the potential damage is hardly limited to just Dropbox."
Find out more about creating strong passwords and avoiding data breaches.