If you’ve been a Dropbox user for a while now, you may remember an incident four years ago in which the company reported that “a small number” of usernames were stolen. At the time, Dropbox said they contacted the users and helped them secure their accounts. It was recently revealed, however, that the true scope of the breach was much greater than initially reported. Motherboard, a tech website, said it obtained files that contained approximately 68 million e-mail addresses as well as hashed and salted passwords from that 2012 breach. Though Dropbox has not confirmed the 68 million number, they do acknowledge the password leak.
At this time, it appears that the only people affected by the news are individuals who had Dropbox accounts in 2012 or before, and who have not changed their passwords since 2012. If you believe you are part of that group, you should have received an e-mail from Dropbox prompting you to update your password. The company currently does not believe that any accounts have been accessed by hackers, but they are requiring the password reset to protect all users.
What are hashed and salted passwords?
The passwords compromised in the Dropbox breach were hashed and salted — but what does that actually mean? Hashing converts passwords (and other data) into fixed length “fingerprints” that can’t be reversed back into the original password. This makes it next to impossible for hackers to get a user’s real password.
Hashed passwords can then be salted for an added layer of security. Salting randomizes each hash so that if certain users have the same password, the thief won’t be able to guess by finding a collection of the same hashes. Passwords are turned into unique strings of letters and numbers that are extremely difficult to crack.
Of course, there are always hackers that are going to try to. Leakbase, a repository for data breaches, got its hands on a copy of the Dropbox database and said on Twitter that it’s currently trying to figure out the passwords.
What to do if you were affected by the Dropbox breach
First and foremost, change your password. However, moving forward, Dropbox also recommends the following security measures:
- Try not to reuse the same passwords across multiple services
- Make sure your passwords are strong and unique
- Only sign in from secure devices
- Enable two-step verification on your account
While this Dropbox breach doesn’t seem to be causing too much trouble for users, website ZDNet is not impressed with the way the company has handled things. Primarily, it’s not happy with the way the company appears to downplay serious security issues for fear of scaring away users. Hopefully, Dropbox, and other organizations will learn to be more open and transparent with users about security problems in the future — it’s no secret that some of the top companies around the world are being targeted by hackers, so it’s up to the affected company to respond in an upfront and truthful manner.
Image courtesy of Dropbox in 30 Minutes.