Dropbox was the subject of a breach way back in 2012 and the online cloud storage company has vehemently denied the same for quite some time. Not much was known about the magnitude of the leak until recently. Earlier this week Dropbox forced password resets for accounts that were registered prior to mid-2012 as “purely a preventive measure”. Dropbox mentioned that they don’t believe that any account had been hacked. However, recent reports based on analysis of data dumps from the 2012 hack indicate that email IDs and passwords associated with Dropbox have indeed been hacked. And based on those very data dumps, it appears that 68,680,741 accounts had been compromised in the 2012 breach.
Leakbase.pw, a website that notifies users about password leaks obtained four files totaling up to 5 GB which contained the credentials of all users affected by the 2012 breach. Anonymous Dropbox officials have even confirmed that these files do indeed contain user data. Two of these files contain email addresses and bcrypt hashes and the other two contain email addresses and SHA1 hashes.
Have I been hacked?
If you’d registered on Dropbox prior to mid-2012 then it’s quite probable that your data has been traded openly and whatever password was used is now known to many. Soon enough, you will have services like https://haveibeenpwned.com updating their databases with the breach data and you’ll be able to verify the same easily. Since the passwords of about 32 million accounts were encrypted using bcrypt algorithm, it’s safe to say that those accounts will be a lot more difficult to decrypt. But if you happen to be one of the many unlucky ones whose account passwords were encrypted using SHA1 algorithm then it’s best that you change your passwords as early as possible.
Dropbox has modified the way it hashes passwords since 2012 so hackers will have a lot tougher time decrypting passwords had there been any more breaches post 2012. Given the magnitude of the breach, Dropbox now ranks 6th in the list of the Top 10 breaches of all time.