As a result, Dropbox sent out warnings to all users who had not changed their passwords since 2012, when it had about 100m customers. In other words, the data dump represents over 2/3 of its user accounts. At the time, the service had a good user data security practice by encrypting the passwords and upgrading the encryption to a more secure standard. However, 50% of passwords were still encrypted with the old standard at the time of the hack.
Apparently, the original breach resulted from the reuse of a Dropbox employee’s password on LinkedIn. The latter also suffered a breach, which revealed the password and thus allowed the hackers to enter Dropbox’s corporate network. The intruders then obtained access to the user database with encrypted passwords. The file-hosting company reset part of user passwords at the time, but didn’t reveal precisely how many.
Security experts reiterate that the hack once again highlighted the need for tight security, both at the user end and for the companies storing user data. While users must use strong passwords, enable two-step authentication and avoid reusing passwords, companies must take further steps to secure their databases – even with solid encryption practices, Dropbox still fell foul of password reuse.
Meanwhile, Dropbox claimed that there was no indication that Dropbox user accounts have been improperly accessed, pointing out that the credentials are user email addresses with hashed and “salted” passwords that were valid before 2012. The company explained that the scope of the completed password reset protected all impacted users.
Some specialists advise using a password manager in order to secure the scores of unique and complex passwords required to properly secure various login details. However, the latest attacks on such companies as Opera, which stores and syncs user passwords, and password manager OneLogin, have shown the dangers of using such a tool.
Sourced from torrentfreak