Dropbox last week confirmed that more than 68 million emails and passwords have been compromised from a hack that originally was disclosed in 2012.
Exposure from the breach was limited to email addresses, Dropbox originally claimed. However, based on the latest revelations, the hackers actually stole hashed and salted passwords. Even so, there have been no indications that they succeeded in accessing user accounts, the company said.
The firm apologized for the belated release of the information, saying it wanted to clear up the confusion.
"We first heard rumors about this list two weeks ago and immediately began our investigation," the company said in a statement provided by spokesperson Nick Morris. "We then emailed all users we believed were affected and completed a password reset for anyone who hadn't updated their password since mid-2012."
The reset ensures that even if the passwords are cracked, they can't be used to access Dropbox accounts.
Customers who signed up for Dropbox before mid-2012 with a password they used on other services should change those passwords too, Dropbox recommended.
They should create strong, unique passwords and enable two-step verification, the company urged. They also should be alert to spam or phishing attempts, because email addresses were exposed.
For security reasons, Dropbox could not answer any specifics about investigations into the hack, such as whether any outside security experts or law enforcement agencies have been looking into the breach, Morris told the E-Commerce Times.
Dropbox originally disclosed the hack attack in July, 2012, saying it started getting emails from some users about spam they were receiving at email addresses they only used for Dropbox.
Usernames and passwords stolen from other websites were used to sign into a small number of Dropbox accounts, Aditya Agarwal, vice president of engineering at Dropbox, explained at the time.
A stolen password was used to access an employee Dropbox account that contained a project document with user email addresses, according to the company, which is what led to the spam.
The Dropbox incident is similar to a recent attack on Tumblr, in that the scale of the leak wasn't apparent for quite some time, observed David Emm, principal security researcher at Kaspersky Lab. The personal information of more than 65 million Tumblr account holders was offered for sale on the dark Web about three years after the original 2013 breach.
"Customers that entrust their private information to an online provider should be able to rest safely in the knowledge that it is kept in a secure manner, and all companies that handle private data have a duty to secure it properly," Emm told the E-Commerce Times.
Customers can't take their digital security for granted, he warned. They should use complex passwords and multifactor authentication to guard against threats of this type.
The Dropbox attack also is reminiscent of the LinkedIn breach of 2012, when an attack that originally was thought to have impacted 6.5 million users eventually was found to have exposed 117 million users, noted Christopher Budd, global threat communications manager at Trend Micro.
The extent of that attack finally came to light this year, he told the E-Commerce Times.
These attacks reflect the yard sale trend, a relatively new practice that involves hackers selling stolen personal data on open, underground markets.
One of the reasons data is held for a long time in these types of attacks is to make the origin of the breach much harder to trace, noted Kevin O'Brien, chief executive of GreatHorn.
"In part, the theory here is that these attacks are timed to both maximize damage and also be incredibly difficult to detect," he told the E-Commerce Times.
GreatHorn could not comment on specifics of the Dropbox breach due to a conflict, O'Brien said, but he noted that "the advanced persistent threat model is itself predicated on the idea that attackers are sophisticated enough to leverage these kind of stolen assets this way."