The email addresses and hashed passwords of over 68,680,741 Dropbox users were recently exposed online, Motherboard reports.
The data came from a 2012 Dropbox data breach that resulted from the compromise of a single employee's account. Sooner after that breach was disclosed, the company made two-factor authentication available to users.
Dropbox last week began notifying users that it was resetting all passwords that hadn't been changed since 2012 due to the exposure of "an old set of Dropbox user credentials (email addresses plus hashed and salted passwords) that we believe were obtained in 2012."
"Based on our threat monitoring and the way we secure passwords, we don't believe that any accounts have been improperly accessed," the company stated. "Still, as one of many precautions, we're requiring anyone who hasn't changed their password since mid-2012 to update it the next time they sign in."https://o1.qnsr.com/log/p.gif?;n=203;c=204660766;s=9477;x=7936;f=201812281312070;u=j;z=TIMESTAMP;a=20392931;e=i
The Guardian notes that since the company had around 100 million customers in 2012, the data dump represents as much as two-thirds of Dropbox's user accounts.
Nathan Wenzler, principal security architect at AsTech Consulting, told eSecurity Planet by email that breaches like these have become a common enough occurrence that most people should be taking basic precautions with their passwords for online services.
It's crucial, Wenzler said, for all users to do the following:
- Never use the same password on more than one site. If the password is compromised, it can't be used to access any other site you use.
- Ensure your password is lengthy and complex. Even if a weaker hash is used, it can potentially make brute-forcing the password more difficult or even impossible within a reasonable amount of time.
- Change your passwords periodically. There's a reason why companies have their employees change their passwords regularly. Employ the same practice for your personal accounts and credentials, too.
"Even though Dropbox has stated that most passwords were encrypted with a strong cipher, others were not and those run the risk of being hacked," Wenzler said.
Regardless, IDT911 chairman and founder Adam Levin said by email that email addresses alone can convey a significant amount of sensitive data. "Email addresses are at the foundation of our digital identities, as they often contain significant names and/or numbers, such as your birthday, college, or work," he said. "All of this information becomes tiny breadcrumbs that hackers can use to guess passwords and answer security questions to access even more sensitive information."
Earlier this year, a LastPass survey found that fully 95 percent of U.S. consumers admit sharing up to six passwords with others, and 22 percent share passwords with their coworkers.
A recent eSecurity Planet article looked at the future of identity management.