Cloud storage provider Dropbox has said the password reset measures the company put in place has prevented any hacking of user data, following revelations made in stories which argued that millions of account details had been accessed.
Certain Dropbox users received an email from the cloud storage provider earlier this week advising that if their account password was the same as before mid-2012, they will be prompted to change it the next time they sign in.
A blog post at the time from Patrick Heim, Dropbox head of trust and security, said it was done “purely as a preventative measure”. Yet according to a Motherboard story citing an anonymous Dropbox employee, as well as being vetted by other publications, the number of credentials taken from 2012 total more than 68 million.
Troy Hunt, a security expert who curates the ‘Have I been pwned?’ service, also obtained a copy of the data, and trawled through it finding not only his details – although his password had been changed well after the purported breach – but his wife’s.
Given her password had not been changed since April 2012, and that she uses a password manager, Hunt put two and two together. “There is no doubt whatsoever that the data breach contains legitimate Dropbox passwords – you simply can’t fabricate this sort of thing,” Hunt wrote.
Heim said in a statement today: “This is not a new security incident, and there is no indication that Dropbox user accounts have been improperly accessed. Our analysis confirms that the credentials are user email addresses with hashed and salted passwords that were obtained prior to mid-2012.
“We can confirm that the scope of the password reset we completed last week did protect all impacted users,” Heim added. “Even if these passwords are cracked, the password reset means they can’t be used to access Dropbox accounts. The reset only affects users who signed up for Dropbox prior to mid-2012 and hadn’t changed their password since.”
So what does this mean for users? David Emm is principal security researcher at Kaspersky Lab. He argues the importance of the ‘positive impact’ the EU General Data Protection Regulation (GDPR) could bring to the situation, but sounds a note of caution.
“Organisations should prepare on the basis that hackers will get in,” Emm said. “It’s therefore positive that we’re starting to see a shift from organisations using defensive strategies towards being better prepared.
“Dropbox hashed and salted passwords, and immediately gave advice to consumers, recommending that they change their passwords as a precaution. We know that many people use the same password across multiple online accounts, so it’s important that those affected take steps to change their password for other online accounts where they have used the same password”, added Emm.
“While Dropbox accounts are protected, affected users who may have reused their password on other sites should take steps to protect themselves on those sites,” said Heim. “The best way to do this is by updating these passwords, making them strong and unique, and enabling two-step verification.
“Individuals who received a notification from Dropbox should also be alert to spam or phishing,” he added.