The popular cloud storage firm DropBox has been hacked and the details of 68 million of its users’ emails and login passwords have been dumped onto the internet for the whole world to see.
The hack, which took place in 2012…wait a minute, 2012? Let me just check that. Yeah, apparently DropBox got hacked in 2012.
So why is this news then?
That’s a good question.
It turns out that back in 2012, DropBox did report the hack, stating that a number of email addresses had been stolen. But last week, Dropbox found itself in the embarrassing situation of having to announce that it had performed a mass account reset, and any user who hadn’t changed their passwords since mid-2012 was forced to change it in order to keep using Dropbox.
“Our security teams are always watching out for new threats to our users. As part of these ongoing efforts, we learned about an old set of Dropbox user credentials (email addresses plus hashed and salted passwords) that we believe was obtained in 2012. Our analysis suggests that the credentials relate to an incident we disclosed around that time.”
The 2012 hack, wasn’t so much of a hack, as carelessness on the part of one DropBox employee, and luck on the part of the hackers. When LinkedIn found itself hacked in 2012 as well, the hackers happened to steal an old LinkedIn password of a hapless DropBox employee, which was unfortunately still the employee’s password for his corporate Dropbox account. The hackers then used this to access the DropBox network. What happened next was perhaps, inevitable.
At the time Dropbox practiced good user data security practice, encrypting the passwords and appears to have been in the process of upgrading the encryption from the SHA1 standard to a more secure standard called Bcrypt. That said, at the time, the company had only completed the new encryption protocol for about half its users.
The fact the DropBox breach was caused by the hack of another company only serves to highlight the importance of making sure you regularly change your password for online accounts, and enable 2 step verification whenever you can.