As I’m sure a lot of you have heard – 68 Million passwords to Dropbox accounts were leaked to the public. This is following the 2012 hack in which Dropbox stated on their blog the following:
A stolen password was also used to access an employee Dropbox account containing a project document with user email addresses. We believe this improper access is what led to the spam. We’re sorry about this, and have put additional controls in place to help make sure it doesn’t happen again.
It was believed and stated by Dropbox that only user e-mails were stolen. Dropbox disclosed that an employee’s password was acquired and used to access a document with e-mail addresses however it was not disclosed that passwords were also stolen, this is because Dropbox stores the passwords hashed and salted so technically they were correct as the hashes were stolen and not the passwords.
How was the employees password acquired? If you’ll remember back to the LinkedIn breach a few years ago they used the Dropbox employee’s password from that breach and managed to gain access to those documents. He broke very important password protocol we reiterate all the time: don’t use the same password on multiple sites.
Two-factor authentication and refraining from using the same password twice will help to alleviate some of the hacks and breaches we are experiencing
If you had a Dropbox account prior to 2013 it is recommended you change your passwords immediately due to this breach. Make sure and follow our guide for staying safe online found here.
The hack definitely highlights a need for better security at the user end as well as for the companies storing user data. Although they did have the passwords somewhat protected there was still a severe lack in protocol or employees following protocol.
In short, please review our post on protecting yourself online and follow the guidance set forth there. And as always, if there are any questions or concerns regarding this post or any other post please don’t hesitate to reach out!