Dropbox recently unveiled that a big chunk of its users' credentials that leaked in 2012 was discovered on the dark web, but the number of affected users was way bigger than initially thought.
The company protects its user passwords by hashing and salting them, meaning that hackers who got hold of hashed files belonging to Dropbox's users were unable to crack them.
However, sources point out that more information was taken from Dropbox than the company first publicly admitted. Not only did Dropbox user emails got leaked, but a significant number of hashed passwords associated with said emails also got into the hands of hackers.
Motherboard reported that 68,680,741 Dropbox users got their credentials compromised in the leak.
When the breach took place, Dropbox was inforcing bcrypt, a more robust hashing method than the standard algorithm of the time, dubbed SHA-1. From the stolen passwords, 32 million were purportedly hashed using bcrypt.
Somewhat reassuring, the passwords have an additional layer of security thanks to a salt, aka a randomly generated data string. The good news is that albeit the data was dumped online, the hash protections seem to be holding their own against cracking attempts.
Despite the breach in security, Dropbox has registered a significant user base expansion during the last years.
In November 2012, the helm of the company, Drew Houston, affirmed that the service doubled its number of user accounts, topping 100 million. The company recently reported a hefty increase, counting as much as 500 million users. However, keep in mind that the number of monthly active users is kept under wraps.
If Dropbox counted 100 million users when the breach happened four years ago, it means that three fifths of the company's user base was compromised.
Sources pointed out that hackers used an employee's password that was reused from the LinkedIn leak, which was the other major security fail of 2012.
This would show that the fault for the leak is not entirely on Dropbox's shoulders, but underlines the dangers associated with password reuse, and put emphasis on how perilous these are in the corporate environment.
Since then, the company made efforts to make sure that its employees avoid reusing passwords on their corporate accounts.
In an attempt to enforce the use of strong and unique passwords, Dropbox offered licenses to the password management service 1Password to all of its employees. According to Patrick Heim, Dropbox's helm of trust and security, his company asks all its internal systems to be protected by a two-factor authentication.
Looking at how Dropbox grew after the user credentials leak, it looks like the company did its homework in keeping passwords safe via hashing and salting.
Hackers are usually taking jabs at online cloud storage services due to the high variety of stored content from their servers. Possibly the most famous example of this is the grand private celebrity photo leak from September 2014, but Dropbox was not linked to the hack in any way at the time.
Keep in mind that the last major leak featuring Dropbox happened in 2012, when the company was still in its infancy. No company is perfect and security hiccups are to be expected, but Dropbox could certainly use more transparency in its communication, especially during breaches.
If you are a frequent Dropbox user, changing your password right now might be a very good idea.