Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hackers Stole Account Details for Over 60 Million Dropbox Users

Posted by msmash on from the security-blues dept.

The Dropbox hack is more severe than we expected. Motherboard has the details: Hackers have stolen over 60 million account details for online cloud storage platform Dropbox. Although the accounts were stolen during a previously disclosed breach, and Dropbox says it has already forced password resets, it was not known how many users had been affected, and only now is the true extent of the hack coming to light. Motherboard obtained a selection of files containing email addresses and hashed passwords for the Dropbox users through sources in the database trading community. In all, the four files total in at around 5GB, and contain details on 68,680,741 accounts. The data is legitimate, according to a senior Dropbox employee. Security expert Troy Hunt has corroborated on Motherboard's claims, and has updated Have I Been Pwned website where you can go and see if you're among one of the victims.

7 of 66 comments (clear)

  1. Just for the record... by ravrazor · · Score: 5, Informative

    Just FYI, although slashdot postings have never been extremely literate: Nobody corroborates ON something, you just corroborate something, i.e. I corroborated the claims about Dropbox. At least someone may have learned something on slashdot today.

    1. Re:Just for the record... by b0bby · · Score: 2

      And if we're going to go there: you can't be "among one of the victims", you' could be either among the victims or one of the victims.

  2. Is this website legit? by __aaclcg7560 · · Score: 3, Interesting

    I played around with the https://haveibeenpwned.com/ website, confirming that very old email addresses were compromised in the last few years. But how legit is this website?

    1. Re:Is this website legit? by Richard_at_work · · Score: 5, Informative

      Extremely legit, Troy Hunt goes to great lengths to ethically report breaches, hiding "sensitive" results (so you cant search someones email to see if they were an Maddison Ashley account holder, for example) as well as verifying a dataset is authentic (there are fake ones going around).

      You should sign up to that site immediately, if you havent already. You get email notifications if a new breach includes your email address, which is worth it alone.

    2. Re:Is this website legit? by cdrudge · · Score: 3, Informative

      Is it possible that your email account was previously used by someone else, or that someone else signed up under your account?

      Also not all the data necessarily pertains to log in account data. Perhaps your email address was a backup contact address, a friend's contact, referral, etc. There's lots of ways some basic information about you could be "compromised" with an data breach even if you never had an actual account.

  3. Re:Grain of salt by jittles · · Score: 2

    Just for giggles I went there and put in my throw away email that I use to register to crap. apparently I was "pwned" in the myspace hack. Funny thing is I've never had a myspace account. Ever. i'm not calling bullshit, but when the site tells me I'm owned and asks for a donation, I'm going to question it. But I know 100% I have never registered a myspace account.

    And you're sure that you've been the only person to own that email address? My throw away email address got leaked in a hack and someone used it to sign up for an instagram account without my knowledge or consent. I get emails from Instagram all the time saying that there is suspicious activity associated with the account i never created. So one day I went to instagram and did the password recovery on that throw away account and, sure enough, they let someone create and use an account without me ever authenticating the email address.

  4. Re:One must wonder... by bigfinger76 · · Score: 2

    LastPass, too, was the victim of a 'malicious hack':
    LastPass breach, 2015