Online cloud storage company Dropbox has revealed that the details of more than 60 million accounts were stolen in a previously announced breach. The company confirmed it forced password changes for a number of accounts following the breach.
The announcement highlights the ongoing risk to cloud-based services and the need for constant vigilance.
The sheer size of the recent breach was only revealed after online publication Motherboard obtained 68,680,741 records from a database trading community. A senior Dropbox employee confirmed that the data was legitimate.
The company announced: “Our security teams are always watching out for new threats to our users. As part of these ongoing efforts, we learned about an old set of Dropbox user credentials (email addresses plus hashed and salted passwords) that we believe were obtained in 2012. Our analysis suggests that the credentials relate to an incident we disclosed around that time.”
Motherboard said it was provided the full data set by breach notification service Leakbase.
“We’ve confirmed that the proactive password reset we completed last week covered all potentially impacted users,” said Patrick Heim, Head of Trust and Security for Dropbox.
Users advised to change passwords for other services
The passwords in the data were all encrypted using a variety of hashing techniques but Heim added that customers using the same password on other services should nevertheless consider changing their passwords there as a precaution.
As news of the 68 million-record breach spread across the internet, music service Spotify changed the passwords of millions of its accounts.
“Spotify has not experienced a security breach and our user records are secure,” the company said in an email. The password reset is merely a precaution, it said.
Because many Dropbox users may have the same passwords on multiple services, Spotify was simply taking precautionary steps, to protect those users.
While passwords for many of the stolen accounts may be secure behind hard to crack encryption, millions of email addresses are still visible in the data.