Dropbox Drops Other Shoe in Years-Old Data Breach


Dropbox last week confirmed that more than 68 million emails and passwords have been compromised from a hack that originally was disclosed in 2012.

Exposure from the breach was limited to email addresses, Dropbox originally claimed. However, based on the latest revelations, the hackers actually stole hashed and salted passwords. Even so, there have been no indications that they succeeded in accessing user accounts, the company said.

The firm apologized for the belated release of the information, saying it wanted to clear up the confusion.

"We first heard rumors about this list two weeks ago and immediately began our investigation," the company said in a statement provided by spokesperson Nick Morris. "We then emailed all users we believed were affected and completed a password reset for anyone who hadn't updated their password since mid-2012."

The reset ensures that even if the passwords are cracked, they can't be used to access Dropbox accounts.

Customers who signed up for Dropbox before mid-2012 with a password they used on other services should change those passwords too, Dropbox recommended.

They should create strong, unique passwords and enable two-step verification, the company urged. They also should be alert to spam or phishing attempts, because email addresses were exposed.

For security reasons, Dropbox could not answer any specifics about investigations into the hack, such as whether any outside security experts or law enforcement agencies have been looking into the breach, Morris told the E-Commerce Times.

Dropbox originally disclosed the hack attack in July, 2012, saying it started getting emails from some users about spam they were receiving at email addresses they only used for Dropbox.

Usernames and passwords stolen from other websites were used to sign into a small number of Dropbox accounts, Aditya Agarwal, vice president of engineering at Dropbox, explained at the time.

A stolen password was used to access an employee Dropbox account that contained a project document with user email addresses, according to the company, which is what led to the spam.

The Dropbox incident is similar to a recent attack on Tumblr, in that the scale of the leak wasn't apparent for quite some time, observed David Emm, principal security researcher at Kaspersky Lab. The personal information of more than 65 million Tumblr account holders was offered for sale on the dark Web about three years after the original 2013 breach.

"Customers that entrust their private information to an online provider should be able to rest safely in the knowledge that it is kept in a secure manner, and all companies that handle private data have a duty to secure it properly," Emm told the E-Commerce Times.

Customers can't take their digital security for granted, he warned. They should use complex passwords and multifactor authentication to guard against threats of this type.

The Dropbox attack also is reminiscent of the LinkedIn breach of 2012, when an attack that originally was thought to have impacted 6.5 million users eventually was found to have exposed 117 million users, noted Christopher Budd, global threat communications manager at Trend Micro.

The extent of that attack finally came to light this year, he told the E-Commerce Times.

These attacks reflect the yard sale trend, a relatively new practice that involves hackers selling stolen personal data on open, underground markets.

One of the reasons data is held for a long time in these types of attacks is to make the origin of the breach much harder to trace, noted Kevin O'Brien, chief executive of GreatHorn.

"In part, the theory here is that these attacks are timed to both maximize damage and also be incredibly difficult to detect," he told the E-Commerce Times.

GreatHorn could not comment on specifics of the Dropbox breach due to a conflict, O'Brien said, but he noted that "the advanced persistent threat model is itself predicated on the idea that attackers are sophisticated enough to leverage these kind of stolen assets this way."

David Jones is a freelance writer based in Essex County, New Jersey. He has written for Reuters, Bloomberg, Crain's New York Business and The New York Times.

0 Comment

Leave a Reply

Captcha image


  • 5300c769af79e

    Reuters: Fire Breaks Out at Samsung SDI Facility, Faulty Batteries to Blame

    Ever wonder what Samsung was doing with all of the faulty batteries from the Galaxy Note 7?Well, apparently, many of them were being housed inside of a Samsung SDI plant in China.
  • 5300c769af79e

    How to Tell if Your New Galaxy Note 7 is Safe

    And because they do, that also means you might have a new Note 7 to pickup (at least one of our readers picked one up Saturday) and are probably wondering how you can tell if this new Note 7 in your pocket is safe or not.Like we reported on Friday, Samsung will indeed make the battery indicator on new phones green to show that you are using a Note 7 that is from the new safe wave.
  • 5300c769af79e

    Verizon Toys With Risky App Revenue Plan

    Android users -- nor a guarantee that users will actually engage with or even open the app," Severin told the E-Commerce Times.In order to reach a Top 50 ranking, an app needs an average of 1.
  • 5300c769af79e

    Trend Micro Antivirus+ Security (2017)

    The plus sign in the name of Trend Micro Antivirus+ Security refers to the fact that it includes spam filtering and a firewall booster component, items more commonly seen in full-scale security suites.Compare Similar ProductsCompare Webroot SecureAnywhere AntiVirus (2016) %displayPrice% Symantec Norton AntiVirus Basic %displayPrice% McAfee AntiVirus Plus (2016) %displayPrice% Kaspersky Anti-Virus (2017) %displayPrice% Bitdefender Antivirus Plus 2016 %displayPrice% Avast Pro Antivirus 2016 %displayPrice% Daily Safety Check Home Edition %displayPrice% Emsisoft Anti-Malware 11.