Last week, Dropbox initiated a password reset for all of its users who haven’t changed their password since mid-2012. The company initially called it only a “preventative measure,” However, on Tuesday afternoon, the company updated its previous announcement to say that 68 million user credentials have been leaked, following the 2012 data breach.
Back in 2012, Dropbox said that an employee’s password was stolen, which then led to the theft of some users’ emails. At the time, Dropbox made no mention of user passwords being stolen as well--just that the users that had their emails stolen may be receiving some spam email. It's likely that the company didn't know the true extent of the hack, as sometimes data breaches happen without leaving much of a trail behind.
“A stolen password was also used to access an employee Dropbox account containing a project document with user email addresses. We believe this improper access is what led to the spam. We’re sorry about this, and have put additional controls in place to help make sure it doesn’t happen again,” said Dropbox in 2012.
The company’s security researchers only recently found out that an old set of user credentials (both emails and passwords) was circulating online. After further analysis, they realized that those credentials may have been leaked in the 2012 data breach incident.
Troy Hunt, an independent security expert who also created HaveIBeenPwned.com (a website that tells people when their emails were included in various data breaches), discovered that 68,648,009 Dropbox accounts were leaked in the wild.
Dropbox confirmed that number yesterday, but it said that it didn’t believe any of the user accounts are at risk because their passwords been encrypted, hashed and salted, which makes them harder to bruteforce. Accounts with common passwords, such as “password” or “1234” are of course more vulnerable to bruteforcing, though.
Although Dropbox said that it believed no user accounts were compromised, whoever had access to the server may also have had access to the encryption key. That would have allowed the attacker to see decrypted passwords while the accounts were in use, according to Tresorit, a company that offers end-to-end encrypted storage for business users.
“Even though the leaked passwords are hashed and not the actual Dropbox passwords, they might possibly be used to access files that are stored on the server. Why? At-rest encryption that stores encrypted files together with encryption keys doesn’t help: those having the hashed passwords may access the files already in a decrypted form,” hypothesized Tresorit.
End-to-end encryption seems to be hated by the FBI and other national governments because it removes their ability to turn major service providers into one-stop-shops for data requests. However, for the same reason that it's easier for the FBI to gain access to that user data, it’s also easier for an attacker to get the same data through hacking. With one successful hack, attackers can gain access to millions of accounts, especially if they weren’t properly encrypted and hashed. When data is end-to-end encrypted, only the user has access to it, which means that attackers would need to hack into every user’s system to get their passwords.
Unlike Google or even Microsoft, Dropbox doesn’t need to mine users’ data. Therefore, Dropbox could at least give users an option to encrypt the data in the local client before syncing it to the cloud and to other devices. The data would then be synced in encrypted form, and neither Dropbox nor malicious hackers, nor abusive governments for that matter, would have access to that data.
Dropbox likely doesn’t want to make all data encrypted locally by default, the way Spideroak or Tresorit do it, because that removes some convenience, which many users would rather not give up. However, plenty of users would also gladly make the trade-off, if given the opportunity.
Until Dropbox enables such a feature, it’s probably best to reset your Dropbox password, just to be on the safe side. Dropbox also advised users to turn on its two-factor authentication feature to further increase the safety of their accounts.