SAN FRANCISCO- A Dropbox breach in 2012 involved 68 million user emails and encrypted passwords, far larger than the 6.9 million originally reported two years ago, the company said Wednesday.
The storage and file sharing company became aware last week that a cache of four files containing the user data, all from mid-2012 or before, had turned up on the Internet underground.
In response, the company sent out a mandatory password reset message to all users who signed up for Dropbox prior to mid-2012 and who also hadn't changed their passwords since then.
Despite the tend-fold increase in the number of accounts known to be affected, there is no indication that any Dropbox user accounts have been improperly accessed, said Patrick Heim, head of trust and security at the San Francisco-based company.
“Even if these passwords are cracked, the password reset means they can’t be used to access Dropbox accounts," he said.
Users should, however, be aware of possible hacker attempts to leverage news stories about the discovery to trick people into clicking on links to malware and other security risks, he said.
"Individuals who received a notification from Dropbox should also be alert to spam or phishing,” Heim said.
The discovery of the files was first reported by the tech site Motherboard on Tuesday.
About 50% of the passwords were encrypted using a strong algorithm and it's unlikely hackers would be able to decode and use them. About 50% used a slightly weaker algorithm that was considered strong in 2012, but it should still protect them.
Simple digital hygiene
It's not uncommon for large files of data from older breaches to appear online in underground data trading or sales sites. While no Dropbox customers have had their account accessed due to the file disclosure, the discovery is yet another reminder that online users need to practice basic digital hygiene.
“People should be taking all of the most common precautions with their user accounts and passwords when using online services,” said Nathan Wenzler, a security consultant with AsTech Consulting in San Francisco.
The same passwords should never be used on more than one site. That way, if one account is compromised, hackers can't use the same password on others — and they do look around and try.
Passwords should be reasonably complex. Extremely simple passwords (1234 is one of the most commonly used, according to analysts) can be decrypted even if a company uses strong encryption to store them.
Change passwords periodically. In the Dropbox case, a remarkable number of users still had the same password on the system they first created in 2012. That makes things easier for hackers.