Dropbox hack from 2012 found to contain data from 69 million users

Both Techchrunch and Motherboard have confirmed through sources within Dropbox that the 2012 hack didn’t just affect email addresses, as previously believed. Now it appears that passwords of about 69 million users have also been stolen.

The two sites report that some of the passwords were hashed using the bcrypt algorithm. In total, 32 million passwords were secured. However, the rest would be hashed with sha1, which is known as a less secure algorithm. All passwords also have a salt. It is unclear whether hackers managed to crack the passwords. The database does not exist on major Internet marketplaces for such goods, Motherboard said.

Dropbox already sent an email to its users last week, in which it required them to reset old passwords. The email referenced the 2012 incident, but the company did not provide exact numbers. It would also be a ‘proactive action’. Patrick Heim, head of security at Dropbox, told Motherboard that he can confirm that the alert emails sent were sent to all users who were “potentially at risk.” Dropbox also recommended enabling two-factor authentication in the email.

The hackers were able to break into Dropbox in 2012 using an employee’s reused password, which appeared in LinkedIn’s leaked data. The size of the hack came to light this year, as did leaked data from Tumblr and MySpace.

Update, 12:00 PM: Security researcher Troy Hunt has found the database to be genuine. Users can check if their email address or username is among the leaked data on Hunt’s site, ‘Have I been Pwned’.