14 DAY TRIAL // A security breach at Dropbox that took place in 2012 affected over 68 million users, according to data received by data breach index service LeakedSource.
Dropbox admitted to the breach in 2012, when the incident took place, but never revealed any details about how it happened and how many users were affected.
68,680,741 Dropbox users affected
According to analysis provided by LeakedSource, the data stolen in 2012 includes details for 68,680,741 users in the format of "email:password_hash."
The password strings are hashed using two different algorithms. 31,865,280 passwords are hashed with bcrypt, and the rest, 36,815,461, are hashed with SHA1.
"Looks like SHA1 hashes aren't immediately crackable," LeakedSource told Softpedia, "similar to Tumblr." According to the LeakedSource spokesperson, this was because Dropbox used "some unknown salt" to alter the password hash to improve its complexity.
A quick cross-referencing of the emails included in the leaked data shows that a few of the addresses were never included in any other public breaches.
Dropbox had already taken precautionary measures last week
Last week, Dropbox brought the 2012 incident back into the public eye after it forced users to change their passwords if they registered before mid-2012 and had never changed their password in the meantime.
The company admitted to the 2012 breach once again and revealed that it discovered some old Dropbox user records exchanged online.
"We've confirmed that the proactive password reset we completed last week covered all potentially impacted users," Patrick Heim, Head of Trust and Security for Dropbox, told Softpedia following our inquiry into the data's authenticity.
"We initiated this reset as a precautionary measure, so that the old passwords from prior to mid-2012 can’t be used to improperly access Dropbox accounts. We still encourage users to reset passwords on other services if they suspect they may have reused their Dropbox password."
Dropbox data is most likely useless
Even if the Dropbox data is not available on Dark Web marketplaces, it appears it is already being circulated among data hoarders, according to a report from Motherboard, citing "sources in the database trading community."
The Dropbox data dump is already in the possession of LeakBase.pw, who supplied it to Motherboard, and LeakedSource, who has started the password brute-forcing operations and will be adding the Dropbox data to its index today.
Softpedia has reached out to other data breach index services such as Hacked-DB, Databases.Land (formerly known as Hexile), and Have I Been Pwned, and inquired if the data has been made available to them as well.
"For the most part until we (or someone else) figures out how they [the passwords] were hashed, the database is useless other than knowing who registered for Dropbox for [sending]spam emails," LeakedSource added.
Taking into account the data's age, Dropbox's precautionary measures, the complex password hashing algorithm and the scarcity of user details included in the breach, our opinion echoes LeakedSource's, namely that the Dropbox data dump is mostly useless and won't bring any profits to anyone attempting to sell it.
UPDATE: A report from The Register confirms that Have I Been Pwned has received the data as well, revealing how much the Dropbox data is currently being circulated among data hoarders and traders. Data that's thrown around so easily is usually data that has no more value to the person who stole it.
Have I Been Pwned's founder, Troy Hunt, also confirmed in an independent verification that the Dropbox data is authentic.