The rumours were true; Dropbox was hacked back in 2012 and customer login credentials were compromised. It has now been revealed that over 68 million Dropbox usernames and passwords were stolen. This massive security breach happened because a Dropbox employee reused his account password on other websites. Read on for more details and for lessons that can be learned from this mega breach.
In 2012, Dropbox published a blog post about users receiving spam to email addresses that were only used for the cloud storage service. The company traced it back to usernames and passwords that were stolen from other sites that were then used to log into Dropbox accounts that shared the same login credentials.
Unfortunately, one of those Dropbox accounts that were compromised belonged to a company employee who had reused his password on one of the hacked websites:
"A stolen password was also used to access an employee Dropbox account containing a project document with user email addresses. We believe this improper access is what led to the spam."
It's now believed that hackers got more than just email addresses. They managed to get their hands on over 68 million passwords as well, which can all be found on Have I Been Pwned, a website that tracks compromised accounts. Half of the over 60 million account passwords were encrypted with bcrypt, which is extremely difficult to cracked, but the rest were secured by the now-deprecated SHA-1 and are potentially easier to access through brute force.
Ladies and gentleman, if this isn't the best example of why you shouldn't reuse passwords on other websites, I don't know what is. Many reputable websites, including Dropbox, would have robust security measures to prevent hackers from getting through and stealing valuable information, but others don't (think Ashley Madison). If hackers get their hands on login details from a little known online forum that you used for something important like your email account, then you're at risk of having that compromised.
I get it; it's so easy to just type in your usual 'XYZ1234' for every online account you own because remembering a different password for each of them is hard. But you're leaving yourself wide open to becoming a victim of security breaches and data theft. The accounts hackers gain access to could contain confidential and personal information that could be damaging to your work and personal life.
Dropbox has been quite good at handling the breach so far. As soon as it found out that user logins were out in the open, it contacted customers to let them know that it has done a forced reset on their passwords. Users that have two-factor authentication switched on also have an added layer of security. Even so, it's still recommended that Dropbox users should change their passwords as soon as possible. You can never be too safe.
Better yet, get into the habit of using a password manager. This means you can keep your passwords protected and in a centralised location so you don't have to remember login details for every one of your online accounts. If you don't know where to start, here’s a list of password managers you can try.