69 Million Dropbox Passwords Compromised; Last.fm Reportedly 
Breached in 2012
To the annals of super-bad historical mega breaches that no one knew about, add a new entry: file-hosting service Dropbox. Separately, music service Last.fm also was reportedly breached badly in 2012, although that has yet to be independently confirmed.
On Aug. 27, Dropbox began alerting customers that if they had signed up to the service before mid-2012 but not changed their passwords since mid-2012, then they would be required to do so.
“We recently learned about an old set of Dropbox user credentials (email addresses plus hashed and salted passwords) that we believe were obtained in 2012,” Dropbox says on its website, indicating it first heard related rumors in mid-August. Resetting the passwords that it believes may have been exposed “ensures that even if these passwords are cracked, they can’t be used to access Dropbox accounts,” the alert notes.
Dropbox first learned about that breach in 2012 and issued an alert to users in July of that year, saying it had traced the breach to an employee reusing their corporate password across multiple sites. The company said it added new security features designed to protect against such breaches. But at the time, Dropbox evidently failed to comprehend the true magnitude of the breach and forced relatively few password resets.
What’s belatedly come to light, however, is that as a result of that 2012 breach, details for almost 69 million user accounts – including email addresses and hashed passwords – were stolen. The information reportedly began circulating recently on underground forums.
More Historical Mega Breaches
This year has seen a spate of mega breaches belatedly coming to light. Four announced in May came from MySpace – the date of its breach remains unclear, though it’s obviously not recent; LinkedIn, which disclosed that its 2012 breach resulted in 165 million passwords being compromised; Tumblr, which warned that 65 million accounts were breached in 2013, prior to its acquisition by Yahoo; and “adult social network” Fling, which said that 41 million accounts were breached in 2011.
On Sept. 1, paid data breach site Leaked Source described yet another old, alleged breach, this one hitting music service Last.fm. Leaked Source claims that the service was hacked in March 2012 and data on 43.6 million users – including usernames, email addresses and passwords – was stolen. While that breach has yet to be independently verified, Leaked Source says that it successfully cracked 96 percent of the site’s unsalted passwords, which had been hashed with MD5.
Last.fm didn’t immediately respond to a request for comment on that report.
Dropbox Breach: Worse than Believed
Dropbox’s Aug. 27 breach alert arrived just a few months after several identity theft services misreported that user data from the site had been leaked (see Dropbox Confident Amidst Breaches).
It turns out, however, that the 2012 Dropbox breach appears to have been much worse than originally believed. Indeed, sometime after Dropbox was hacked in mid-2012, “a large volume of data totaling more than 68 million records was subsequently traded online and included email addresses and salted hashes of passwords, half of them SHA-1, half of them bcrypt,” says Troy Hunt, who runs the free Have I Been Pwned? website.
Security experts laud bcrypt as an excellent, purpose-built password-hashing algorithm, but warn that SHA-1 – as well as MD5 – are deprecated and shouldn’t be used. Dropbox, to its credit, in recent years appears to have phased out SHA-1 in favor of bcrypt.
Technology news site Motherboard reports that it obtained a sample of the data that hackers allegedly stole from Dropbox, and that it contains details relating to 68.7 million accounts, including email addresses and hashed passwords. It says that an unnamed, senior Dropbox employee confirmed that the information was legitimate.
Dropbox couldn’t be immediately reached for comment on that report.
But Hunt says he independently reviewed the data and found it to be authentic. He acknowledges that it contains old passwords set by him and his wife.
Schwartz, Matthew J. Data Breach Today, “Dropbox’s Big, Bad, Belated Breach Notification” September 2016