Dropbox Drops Other Shoe in Years-Old Data Breach


Dropbox last week confirmed that more than 68 million emails and passwords have been compromised from a hack that originally was disclosed in 2012.

Exposure from the breach was limited to email addresses, Dropbox originally claimed. However, based on the latest revelations, the hackers actually stole hashed and salted passwords. Even so, there have been no indications that they succeeded in accessing user accounts, the company said.

The firm apologized for the belated release of the information, saying it wanted to clear up the confusion.

"We first heard rumors about this list two weeks ago and immediately began our investigation," the company said in a statement provided by spokesperson Nick Morris. "We then emailed all users we believed were affected and completed a password reset for anyone who hadn't updated their password since mid-2012."

The reset ensures that even if the passwords are cracked, they can't be used to access Dropbox accounts.

Customers who signed up for Dropbox before mid-2012 with a password they used on other services should change those passwords too, Dropbox recommended.

They should create strong, unique passwords and enable two-step verification, the company urged. They also should be alert to spam or phishing attempts, because email addresses were exposed.

For security reasons, Dropbox could not answer any specifics about investigations into the hack, such as whether any outside security experts or law enforcement agencies have been looking into the breach, Morris told the E-Commerce Times.

Dropbox originally disclosed the hack attack in July, 2012, saying it started getting emails from some users about spam they were receiving at email addresses they only used for Dropbox.

Usernames and passwords stolen from other websites were used to sign into a small number of Dropbox accounts, Aditya Agarwal, vice president of engineering at Dropbox, explained at the time.

A stolen password was used to access an employee Dropbox account that contained a project document with user email addresses, according to the company, which is what led to the spam.

The Dropbox incident is similar to a recent attack on Tumblr, in that the scale of the leak wasn't apparent for quite some time, observed David Emm, principal security researcher at Kaspersky Lab. The personal information of more than 65 million Tumblr account holders was offered for sale on the dark Web about three years after the original 2013 breach.

"Customers that entrust their private information to an online provider should be able to rest safely in the knowledge that it is kept in a secure manner, and all companies that handle private data have a duty to secure it properly," Emm told the E-Commerce Times.

Customers can't take their digital security for granted, he warned. They should use complex passwords and multifactor authentication to guard against threats of this type.

The Dropbox attack also is reminiscent of the LinkedIn breach of 2012, when an attack that originally was thought to have impacted 6.5 million users eventually was found to have exposed 117 million users, noted Christopher Budd, global threat communications manager at Trend Micro.

The extent of that attack finally came to light this year, he told the E-Commerce Times.

These attacks reflect the yard sale trend, a relatively new practice that involves hackers selling stolen personal data on open, underground markets.

One of the reasons data is held for a long time in these types of attacks is to make the origin of the breach much harder to trace, noted Kevin O'Brien, chief executive of GreatHorn.

"In part, the theory here is that these attacks are timed to both maximize damage and also be incredibly difficult to detect," he told the E-Commerce Times.

GreatHorn could not comment on specifics of the Dropbox breach due to a conflict, O'Brien said, but he noted that "the advanced persistent threat model is itself predicated on the idea that attackers are sophisticated enough to leverage these kind of stolen assets this way."

David Jones is a freelance writer based in Essex County, New Jersey. He has written for Reuters, Bloomberg, Crain's New York Business and The New York Times.

0 Comment

Leave a Reply

Captcha image


  • 5300c769af79e

    Personalization, Simplicity Key to Smart Home Device Adoption

    Continued innovation and messaging are crucial for smart safety and security device manufacturers that want to capitalize on new opportunities in the emerging Internet of Things.Early adopters of smart devices are often drawn to the innovative design and technological gadgetry.
  • 5300c769af79e

    Walmart Launches 'Store No. 8' E-Commerce Venture

    Marc Lore, CEO of Walmart eCommerce U., on Tuesday discussed the company's plans to launch a new venture, called "Store No.
  • 5300c769af79e

    AT&T Galaxy S6, S6 Edge, and S6 Active Get Nougat Updates

    The entire Galaxy S6 line from AT&T should now have Nougat, thanks to updates that started for the S6, S6 Edge, and S6 Active last night.Each update includes the April 1 security patch from Google, along with software versions G920AUCU6EQCF (Galaxy S6), G925AUCU6EQCF (Galaxy S6 Edge), and G890AUCU6DQD1 (Galaxy S6 Active).
  • 5300c769af79e

    IBM: AI Should Stand For 'Augmented Intelligence'

    In response to a White House request for information about how to utilize artificial intelligence (AI) for the public good, IBM argues we should focus on a different sort of AI, augmented intelligence.Everyone working information technology, if not already dealing with some form of AI, can expect to be doing so soon.