The online storage platform Dropbox suffered a massive blow back in August when the company learned that over 60 million of its user accounts got hacked and credentials stolen by malicious threat actors in 2012. The latest news is that the actual figure of stolen Dropbox accounts was 68,680,741 accounts and the email IDs and hashed passwords of these 68 million accounts can be downloaded for free.
The data stolen about two months back was dumped online by Thomas White aka The Cthulhu on his personal website in order to help security researchers investigate about the breach.
White has posted this message on his website as well:
“I have assisted to keep this breach public for those who are struggling to find a reliable source for research.”
This isn’t the first time that White has tried to expose large data hacks. Previously, White dumped emails and documents from Ashley Madison, an affairs oriented website and also the much talked about data breach at MySpace, dating website Muslim Match, United States’ Largest Police Union Servers’ data and NASA Data to name a few.
It must be noted that about 32 million Dropbox account passwords are protected with advanced and powerful hashing function bcrypt. Therefore, hackers cannot obtain actual passwords of the users but only those that are hashed with another algorithm dubbed as SHA-1 along with a salt. But, apparently, this particular data dump does not include salts. So, we can assume that it would be really difficult for hackers to get hints about the real passwords.
Dropbox maintains that the company hasn’t observed any malicious activity on these hacked accounts in recent times. We also came to know that last month, the Dropbox data dump was being sold by a vendor on the Dark Web for nearly $1200. Probably this is the reason why the data is now available publicly, because every hacked database when goes out for sale, it ends up being dumped online for easy public access.
We have already witnessed it happen with Twitter, Yahoo and LinkedIn when these platforms suffered massive data breaches. The data firstly appeared on sale at the Dark Web and then soon after it was available online for free downloading.