Hackers have stolen over 60 million account details, including passwords from Dropbox. This hack actually happened four years ago but details are only now coming to light.
Tech website Motherboard reported Wednesday that it obtained files containing the account details from sources in the database trading community and breach notification service Leakbase. The files contain email addresses and “hashed” passwords, which use an algorithm to protect the passwords, it said.
The hackers gained access to Dropbox from an earlier attack on LinkedIn, where account details were stolen. The problem for Dropbox was that employees were using the same passwords across multiple sites, meaning that once hackers gained the master key, it could unlock every door.
We’ve mentioned the dangers of reusing passwords before, and this Dropbox attack highlights exactly why it’s a bad idea.
Dropbox have already taken care of the problem, resetting all passwords so no users are currently in danger. The problem however is how long it took Dropbox to acknowledge that passwords had been stolen.
“Our analysis confirms that the credentials are user email addresses with hashed and salted passwords that were obtained prior to mid-2012,” Said Patrick Heim, Head of Trust and Security at Dropbox.
“Salted” passwords use random data as an additional layer of protection.
Dropbox recently launched a major password reset, prior to the dumped data becoming public.
“We can confirm that the scope of the password reset we completed last week did protect all impacted users,” Heim said.
“Even if these passwords are cracked, the password reset means they can’t be used to access Dropbox accounts.”
These type of hacks highlight the difference between using Cloud Applications and Cloud Platforms, remember a good cloud platform will keep your data safe and include multiple data backup centres.
Again, this shows the need for your data to be secure and to have a Disaster Recovery Plan in place if everything goes wrong. As demonstrated by this latest hack, it doesn’t even to be your business that’s been the target of the attack, and if employees are reusing their passwords your business could be at risk.