Dropbox’s systems were compromised in 2012, and at least some of this compromised data is up for sale on the Internet darknet site. Dropbox were aware of the hack back in 2012 but state that they only recently realized the extent of the loss in their email to customers. The hacked data, which amounts to approximately 5 GB in size, is one of the larger leaks in recent times but the data is not considered to be especially valuable as the price has been set at two bitcoins, which is the equivalent of around $1,150. The reason why the data is not all that valuable is because it is four years old and Dropbox both “hashed” and “salted” the password data, which means it must be unencrypted by a hacker before it is useful. “Hashing” is a term used to describe converting passwords into a fixed number of random characters, and “salting” is the means of adding a secret value into each password. These techniques will slow hackers down, but can be unencrypted, especially from data taken four years ago. To date, it does not appear that the data has been sold.
Dropbox have emailed customers to tell them to reset their passwords. Although one would hope that people have changed their passwords in the last four years, the risk here is that should a hacker successfully unencrypt the data, some customers would be in danger if they did not change their passwords to date. Worse, a common practice amongst consumers is to share passwords across different websites and services, which means should a hacker gain access to a Dropbox account, that same email and password combination could also work on a large number of alternative services. Stolen email and password data can be fed into software designed to test access to a large number of websites and services, which ultimately could result in something more sensitive being accessed. Back in 2012, Dropbox’s website explained that the data hack was caused by an employee sharing a password used for a corporate login with another service. Given Dropbox’s popularity, if you have received the email from Dropbox to change your password and especially if you have shared this password with other account details, it would be prudent to change your passwords.
Today, Dropbox offer a two-step authentication practice for online accounts, a system that other businesses use. Since the announcement of the data loss, Dropbox reports that almost ten times as many customers are signing up for the newer, higher security option to sign into their accounts. Two step authentication systems are harder to break into as they often rely on another connected piece of technology, such as a smartphone, to verify the account.