Dropbox's biggest hack happened in 2012. Files totaling 5GB with the details of 68,680,741 accounts were found online, and a “senior Dropbox employee” has confirmed that the leak information is legitimate, according to Motherboard.
Dropbox has released a statement about the hack, further clarifying what has happened:
“Our security teams are always watching out for new threats to our users. As part of these ongoing efforts, we learned about an old set of Dropbox user credentials (email addresses plus hashed and salted passwords) that we believe were obtained in 2012. Our analysis suggests that the credentials relate to an incident we disclosed around that time.”
Earlier this week, a proactive password reset covered all the accounts affected by the Dropbox hack. However, given that the details have been stolen since 2012, a four-year gap remains in which millions of Dropbox users' data was not as secure as they would have hoped. Side note: Dropbox had 100M total users in 2012.
The Hack Probably Didn't Do Any Damage
There's a silver lining: There's no evidence of foul play tied to the use of the account data, just in the initial hack that stole it. Dropbox, at least, has seen “no evidence of malicious access of these accounts,” according to a spokesperson. Motherboard further explains the reasons why:
“Nearly 32 million of the passwords are secured with the strong hashing function bcrypt, meaning it is unlikely that hackers will be able to obtain many of the users' actual passwords. The rest of the passwords are hashed with what appears to be SHA-1, another, aging algorithm. These hashes seem to have also used a salt; that is, a random string added to the password hashing process to strengthen them.”
Most of the damage dealt out in the Dropbox hack, it seems, was to Dropbox's reputation. They responded as best they could, but their business model as an online cloud storage platform makes them a ready target for over-eager hackers.