Last week, Dropbox asked longtime users to update their login credentials after learning that their information may have been compromised nearly four years earlier. At the time, the file-sharing site didn’t say just how many users were affected by this breach, but a new report shows that more than 68 million accounts were involved.
Motherboard reported Tuesday that it was recently able to obtain a selection of files containing 68.6 million email addresses and passwords for Dropbox accounts.
An employee with Dropbox confirmed to Motherboard that the data it received was legitimate and tied to the previously disclosed breach.
Motherboard reports that the hacked passwords would have been nearly impossible to decipher. Nearly 32 million of the compromised credentials include passwords secured with a strong hashing function bcrypt, while the remaining passwords include a random string — called a “salt” — added to the password process to strengthen them.
Patrick Heim, head of Trust and Security at Dropbox, maintained that no accounts were improperly accessed following the 2012 breach and that the password change prompt issued last week covered nearly all of the affected users.
“Even if these passwords are cracked, the password reset means they can’t be used to access Dropbox accounts,” Heim said in a statement. “While Dropbox accounts are protected, affected users who may have reused their password on other sites should take steps to protect themselves on those sites.”
Heim goes on to suggest users enable two-step verification and make strong, unique passwords for their accounts.
Hackers Stole Account Details for Over 60 Million Dropbox Users [Motherboard]
by Ashlee Kieler via Consumerist