Email and password data for more than 68 million Dropbox users is for sale in the darknet marketplace.
The data set, which is from a 2012 breach, includes users’ email addresses as well as obscured passwords. The nearly 5 gigabytes of data represents one of the larger user credential leaks in recent years. Its price is reportedly being set at two bitcoins, the equivalent of about $1,141, by a data trafficker on the darknet website TheRealDeal. There are no reports that the data set has been successfully sold yet.
Dropbox announced the four-year-old breach last week when it sent out an email to affected users informing them that they would be proactively resetting their passwords. They informed users that their accounts were being reset because the company had been notified about a possible threat. But the full extent of the massive breach was reported by Motherboard, and was confirmed to The Washington Post by a Dropbox official.
Dropbox was aware of a security breach in 2012 and told its customers, but it says the true scope and size of the hack was new information until last week. Patrick Heim, head of trust and security at Dropbox, said the company felt it had taken sufficient preventive measures by proactively resetting passwords. Heim added that at this point, there is still no evidence that the users’ passwords have been successfully decoded and sold.
Hacked user credentials can be very valuable among data traders. Email and password data is typically bought and sold on the darknet, a tier of anonymous and largely untraceable Internet access that is often used for illegal activity such as drug or firearms trading. Large numbers of stolen user data can be integrated with software that automatically cycles though email/password combinations to hack into different websites. Given that many people reuse the same passwords on multiple websites, this can be a very effective method. Dropbox actually points to an employee’s reused password hacked from another website as the cause of the 2012 Dropbox breach, according to a blogpost that year on its website.
But the stolen passwords from Dropbox were hashed and salted. Both are methods of obscuring passwords should they fall into hackers’ hands. Hashing converts passwords into a fixed number of random characters while salting adds a secret value to the end of each password. Hashing and salting can help to keep passwords safe in stolen databases, but the danger with hashing and salting is that both techniques can be eventually decrypted, especially for passwords obtained from several years ago. However, at this time there is still no confirmation that any of the passwords have been successfully decoded and sold. It’s one reason the reported value of the data, at two bitcoins, is so low.