Dropbox announced the four-year-old breach last week when it sent out an email to affected users informing them that they would be proactively resetting their passwords. They informed users that their accounts were being reset because the company had been notified about a possible threat. But the full extent of the massive breach was reported by Motherboard, and was confirmed to The Washington Post by a Dropbox official.
Dropbox was aware of a security breach in 2012 and told its customers, but it says the true scope and size of the hack was new information until last week. Patrick Heim, head of trust and security at Dropbox, said the company felt it had taken sufficient preventive measures by proactively resetting passwords. Heim added that at this point, there is still no evidence that the users' passwords have been successfully decoded and sold.
Hacked user credentials can be very valuable among data traders. Email and password data is typically bought and sold on the darknet, a tier of anonymous and largely untraceable Internet access that is often used for illegal activity such as drug or firearms trading. Large numbers of stolen user data can be integrated with software that automatically cycles though email/password combinations to hack into different websites. Given that many people reuse the same passwords on multiple websites, this can be a very effective method. Dropbox actually points to an employee's reused password hacked from another website as the cause of the 2012 Dropbox breach, according to a blogpost that year on its website.
But the stolen passwords from Dropbox were hashed and salted. Both are methods of obscuring passwords should they fall into hackers' hands. Hashing converts passwords into a fixed number of random characters while salting adds a secret value to the end of each password. Hashing and salting can help to keep passwords safe in stolen databases, but the danger with hashing and salting is that both techniques can be eventually decrypted, especially for passwords obtained from several years ago. However, at this time there is still no confirmation that any of the passwords have been successfully decoded and sold. It's one reason the reported value of the data, at two bitcoins, is so low.
"The value in bitcoin is a really good indicator of how valuable the hack really was," said Bryan Seely, a cybersecurity expert and hacker at MGT Capital Investments. "Given how low the price is, I'd say the situation probably isn't too bad." Hackers set a stolen medical database containing 34,000 patient records at a price of 20 bitcoins, or $13,173, this July.
Dropbox has several high-profile clients that use Dropbox Business, a premium-tier service that offers such features as unlimited data storage and extra security. It's used by companies like Hyatt, HP Enterprise and Spotify. Dropbox Business was not launched until after the 2012 breach, so these clients are unlikely to have stolen data.
The hack points to the fragility of passwords as a security measure online. "Passwords are outdated, they're annoying to users, they annoy IT teams, they're hard to remember," said Malcolm Harkins, the chief security and trust officer at a security company called Cylance. Harkins added that new security measures such as multifaceted authentication are far stronger methods. At Dropbox, which offers two-step verification log in for users, rate of enrollment for the extra verification measure has increased nearly tenfold since news of the hack.
Tyler Cohen Wood, cybersecurity adviser at Inspired eLearning, agrees, adding that users should take a degree of personal responsibility for their user data. "If you haven't changed your passwords since 2012, you might want to rethink your own personal password policy and change them more frequently," she said.
Despite this, she added, companies have a duty to fully disclose breaches. "It is always best to report potential compromises of accounts and passwords to users right away so that they can take action immediately," she added.
Clarification: The headline of this story was updated to make it clear that only user credentials were involved in the hack.