Dropbox Hacked – 68 Million User Accounts Compromised

Use Netsparker


So was Dropbox Hacked? There was some rumours going around last week after it sent out a password reset e-mail warning to all users. It seems like it’s limited to users who were active in 2012 and the only ones who would be in trouble are as usual, those who haven’t changed their password since 2012 and those who re-use passwords across multiple sites.

Dropbox Hacked - 68 Million User Accounts Compromised

I’d hope those 2 parameters exclude everyone reading this site. Plus the passwords weren’t leaked in plain text, they were hashed (some in bcyrpt and some in SHA) and the SHA hashes are salted.

A data dump purported to contain 60 million Dropbox user IDs is the real thing, with the company confirming it to The Register, and independent verification from security researcher Troy Hunt.

However, apart from the existence of a file with user IDs and hashed passwords, the company believes nothing has changed since last week.

A spokesperson told The Register “We are confident that this is not a new incident; this data is from 2012, and these credentials were covered by the password reset”.

We’re also told there was no new breach of Dropbox systems.


It seems strange as well after a massive leak of LinkedIn credentials this year, also from 2012 – following that now we have this. Also 4 years later, and also a HUGE cache of details.

Coincidence? Maybe, perhaps the same perpetrators, but I don’t know there would be any reason or value generation from releasing these 4 year old dumps of credentials.

The Register’s conversation with Hunt – operator of HaveIBeenPwned and security educator – bears that out to a degree, since while Hunt has identified his pre-2012 user ID in the list, the author’s post-2012 account is not in the 60 million records.

Hunt is currently preparing the data to load into HaveIBeenPwned, but believes it’s unlikely that anyone’s going to recover passwords anytime soon.

Testing his own password against the bcrypt hash demonstrates the file is real, Hunt said, although a definitive date is hard to prove.

The four files Hunt obtained extract to a bit more than 4.7 GB, he said, and while there’s 2.21 GB of SHA hashes, even those might pose a problem for an attacker, since they’re salted – the attacker would need the salts to decrypt the hashes.

The files have been validated as real, as the company themselves have confirmed it – and it’s been independently validated by security researchers.

I’m not sure if any real harm is going to come from this, or it’s just another flash in the pan. I’d be more interested in reading a forensic analysis of how the intruders got hold of the credentials.

But as we know, that kind of stuff is NEVER forthcoming.

You can search for your own e-mail address here to see if any of your accounts have been leaked – https://haveibeenpwned.com/

Source: The Register

Posted in: Exploits/Vulnerabilities, Privacy


Latest Posts:


Acunetix v12 - Pause & Resume Acunetix v12 – More Comprehensive More Accurate & 2x Faster
Acunetix, the pioneer in automated web application security software, has announced the release of Acunetix v12 - more comprehensive, accurate & 2x faster.
CloudFrunt - Identify Misconfigured CloudFront Domains CloudFrunt – Identify Misconfigured CloudFront Domains
CloudFrunt is a Python-based tool for identifying misconfigured CloudFront domains, it uses DNS and looks for CNAMEs which may be allowed to be associated with CloudFront distributions.
Airbash - Fully Automated WPA PSK Handshake Capture Script Airbash – Fully Automated WPA PSK Handshake Capture Script
Airbash is a POSIX-compliant, fully automated WPA PSK handshake capture script aimed at penetration testing, it is compatible with Bash and Android Shell.
XXEinjector - Automatic XXE Injection Tool For Exploitation XXEinjector – Automatic XXE Injection Tool For Exploitation
XXEinjector is an XXE Injection Tool that automates retrieving files using direct and out of band methods. Directory listing only works in Java applications.
Yahoo! Fined 35 Million USD For Late Disclosure Of Hack Yahoo! Fined 35 Million USD For Late Disclosure Of Hack
Ah Yahoo! in trouble again, this time the news is Yahoo! fined for 35 million USD by the SEC for the 2 year delayed disclosure of the massive hack, we actually reported on the incident in 2016 when it became public.
Drupwn - Drupal Enumeration Tool & Security Scanner Drupwn – Drupal Enumeration Tool & Security Scanner
Drupwn is a Python-based Drupal Enumeration Tool that also includes an exploit mode, which can check for and exploit relevant CVEs.


Comments are closed.