News: Dropbox has prompted users to reset their passwords.
The full extent of a Dropbox hack in 2012 has become clear, with nearly 70 million account details for Dropbox users stolen.
While Dropbox disclosed the attack around that time, only now has it been revealed that 68,680,741 accounts had been compromised, according to records obtained by Motherboard.
The account details, provided by Leakbase, were related to the 2012 incident.
However, due to Dropbox’s use of encryption the passwords were unlikely to be deciphered by hackers.
On 25 August, Dropbox announced that users of Dropbox who had signed up prior to mid-2012 would be prompted to change their passwords when they signed in.
The company also told its users that if they had used the passwords on other sites, they should change it on Dropbox and other services.
It also urged users to adopt two-factor authentication, a security feature that was introduced at the time of the previous hack. Other new measures included automated mechanisms to identify suspicious activity, a new page to examine logins to a user’s account and password prompts.
Dropbox said that the measures had been taken as a precaution and that there was no evidence that any user accounts had been improperly accessed, basing this on “threat monitoring and the way we secure passwords”.
The incident originally came to light when Dropbox users began receiving spam emails at addresses used only for Dropbox.
Dropbox said that this had happened when a stolen password was used to access an employee Dropbox account containing a project document with user email addresses.
“We have dedicated security teams that work to protect our services and monitor for compromises, abuse, and suspicious activity,” wrote Patrick Heim, Head of Trust & Security for Dropbox, in a blog.
“We’ve implemented a broad set of controls including independent security audits and certifications, threat intelligence, and bug bounties for ethical hackers. In addition, we build open source tools such as zxcvbn, use bcrypt password hashing, and offer Universal 2nd Factor authentication to all users.”
Nigel Hawthorn, chief European spokesperson at Skyhigh Networks, said that the incident showed the need for enterprises to be aware of the multiple cloud services in use by their employees.