Dropbox employee’s password reuse led to theft of 60M+ user credentials

Dropbox disclosed earlier this week that a large chunk of its users’ credentials obtained in 2012 was floating around on the dark web. But that number may have been much higher than we originally thought.

Credentials for more than 60 million accounts were taken, as first reported by Motherboard and confirmed by TechCrunch sources. The revelation of a password breach at Dropbox is an evolution of the company’s stance on the 2012 incident — the company initially said that user emails were the only data stolen.

Here’s the exact phrasing from the 2012 blog post:

A stolen password was also used to access an employee Dropbox account containing a project document with user email addresses. We believe this improper access is what led to the spam. We’re sorry about this, and have put additional controls in place to help make sure it doesn’t happen again.

Dropbox disclosed in 2012 that an employee’s password was acquired and used to access a document with email addresses, but did not disclose that passwords were also acquired in the theft. Because Dropbox stores its user passwords hashed and salted, that’s technically accurate — it seems that hackers were only able to obtain hashed files of Dropbox user passwords and were unable to crack them. But it does appear that more information was taken from Dropbox than was previously let on, and it’s strange that it’s taken this long for the breach to surface.

According to a Dropbox source, in addition to the user emails initially disclosed in 2012, a batch of hashed passwords associated with those emails was also taken. At the time of the breach, Dropbox was moving away from using the hashing function SHA-1, a standard algorithm at the time, and replacing it with the more robust standard called bcrypt. Some of the stolen passwords were hashed with SHA-1, while 32 million were hashed with bcrypt, Motherboard reports. The passwords were also secured with a salt, a random data string added to strengthen the hash. Even though these passwords have now been dumped online, it does not appear that the hash protections have been cracked.

In a November 2012 interview with Forbes, Dropbox CEO Drew Houston said the service had drawn around 100 million users, double from the same a year prior. The company most-recently said it now has 500 million registered users, though it won’t say exactly how many of those are monthly active users. If Dropbox had roughly 100 million users at the same time the hack occurred, this breach represented a staggering three-fifths of the company’s user base.

Hackers who used an employee’s password, re-used from the LinkedIn breach, to access Dropbox’s corporate network and steal the user credentials, sources said. So the fault doesn’t 100% rest on Dropbox, though it’s still a breakdown of security standards within the company and emphasizes the perils of password re-use that can extend into a corporate environment.

Dropbox has taken steps to ensure that its employees don’t reuse passwords on their corporate accounts, Patrick Heim, head of trust and security for Dropbox, told TechCrunch. The company has licensed the password management service 1Password for all employees, in an effort to encourage the use of unique and strong passwords. Dropbox also requires two-factor authentication for all internal systems, Heim said.

Given that Dropbox has continued to grow and there have been no colossal security snafus (that we know about) the company appears to have gotten by largely unscathed. Online cloud storage services are frequent targets for hackers because of the variety of content stored. One of the most poignant examples is the massive private celebrity photo leak that happened in September 2014. Dropbox was not linked to that hack, and sources stress that the passwords contained in the 2012 breach do not appear to have been cracked. 

And again, this happened in 2012, when Dropbox was still a young company (worth only $4 billion, compared to its $10 billion valuation now). Hiccups like this occur, though for Dropbox to be so light on the details can be frustrating given the necessity of transparency during security breaches.

PSA: please enable two-factor authentication :(