Just over a month ago today, The Hacker News covered the topic of Dropbox Hacks. In the article, they reported of a team of hackers managing to steal over 68 million Dropbox accounts during a data breach, back in 2012.
This article was conducted rather early in time, as they had failed to reveal the true scale of this massive breach. It wasn’t until August, in which this massive breach was fully realized. LeakBase was able to get their hands on the files in which held user credentials of over 68 million accounts. Such credentials consisted of email address as well as passwords for those active, and non-active, DropBox users. Originally the leaked information pertaining to DropBox accounts had been accessible to several websites, including Hacked-DB, LeakedSource, and HaveIBeenPwned. However, more recently, a new vendor known as “DoubleFlag” has been discovered selling these DropBox exploits, hosting them on a dark web marketplace.
Just last month, a Dark Web marketer, TheRealDeal, was also selling the DropBox account data. It is reported that TheRealDeal sold the DropBox credentials on the dark web for $1,200-USD a piece.
Online activist, Thomas White (AKA Cthulhu), had obtained a copy of the report and proceeded to upload the entire hack onto his website. In his claims of moving in this direction, he aimed to help security researchers examine the large data breach. Ironically, Cthulhu had uploaded the information to DropBox.
Thomas White is also the individual in which had previously dumped the accounts leaked from other massive data breaches, such as Ashley Madison, and the popular social network site, MySpace.
But there is some good news to this story! Thanks to the services at BCrypt, out of the some odd number of 68 million users exposed, 32 million users are secured via a strong hashing function based in the BCrypt methods. Unfortunately, the rest of the accounts are only hash secured by the traditional SHA-1 hashing algoritm. It is also plausible that the accounts may in fact be utilizing a Salt. Salt is basically a random string added to the hashing process, in order to further aid the security of hashing passwords.
DropBox ranks within the top 5 largest data breaches during this past summer. As millions of active online accounts are leaked, several individuals often use their same email, and occasionally can be found using the same password, for their emails and social media profile accounts as well.
Security researchers, alongside some common sense, is advising you to immediately change your password and create a new one that is stronger than your typical password. If you are having issues with creating a custom password, I recommend using the online services of Passwords Generator. You can select your password length, including symbols, numbers, lower and uppercase letters.
Sources: The Hacker News, The Hacker News (Dropbox Hacked), Hacked-DB, LeakedSource, HaveIBeenPwned, TheRealDeal , DropBox (the Cthulhu), Sourceforge (BCrypt), SHA-1-Online, Passwords Generator.
This article (68 Million DropBox Accounts Exposed Online.) is a free and open source. You have permission to republish this article under a Creative Commons license with attribution to the author and AnonHQ.
