Startups

Dropbox employee’s password reuse led to theft of 60M+ user credentials

Comment

Dropbox disclosed earlier this week that a large chunk of its users’ credentials obtained in 2012 was floating around on the dark web. But that number may have been much higher than we originally thought.

Credentials for more than 60 million accounts were taken, as first reported by Motherboard and confirmed by TechCrunch sources. The revelation of a password breach at Dropbox is an evolution of the company’s stance on the 2012 incident — the company initially said that user emails were the only data stolen.

Here’s the exact phrasing from the 2012 blog post:

A stolen password was also used to access an employee Dropbox account containing a project document with user email addresses. We believe this improper access is what led to the spam. We’re sorry about this, and have put additional controls in place to help make sure it doesn’t happen again.

Dropbox disclosed in 2012 that an employee’s password was acquired and used to access a document with email addresses, but did not disclose that passwords were also acquired in the theft. Because Dropbox stores its user passwords hashed and salted, that’s technically accurate — it seems that hackers were only able to obtain hashed files of Dropbox user passwords and were unable to crack them. But it does appear that more information was taken from Dropbox than was previously let on, and it’s strange that it’s taken this long for the breach to surface.

According to a Dropbox source, in addition to the user emails initially disclosed in 2012, a batch of hashed passwords associated with those emails was also taken. At the time of the breach, Dropbox was moving away from using the hashing function SHA-1, a standard algorithm at the time, and replacing it with the more robust standard called bcrypt. Some of the stolen passwords were hashed with SHA-1, while 32 million were hashed with bcrypt, Motherboard reports. The passwords were also secured with a salt, a random data string added to strengthen the hash. Even though these passwords have now been dumped online, it does not appear that the hash protections have been cracked.

In a November 2012 interview with Forbes, Dropbox CEO Drew Houston said the service had drawn around 100 million users, double from the same a year prior. The company most-recently said it now has 500 million registered users, though it won’t say exactly how many of those are monthly active users. If Dropbox had roughly 100 million users at the same time the hack occurred, this breach represented a staggering three-fifths of the company’s user base.

Hackers who used an employee’s password, re-used from the LinkedIn breach, to access Dropbox’s corporate network and steal the user credentials, sources said. So the fault doesn’t 100% rest on Dropbox, though it’s still a breakdown of security standards within the company and emphasizes the perils of password re-use that can extend into a corporate environment.

Dropbox has taken steps to ensure that its employees don’t reuse passwords on their corporate accounts, Patrick Heim, head of trust and security for Dropbox, told TechCrunch. The company has licensed the password management service 1Password for all employees, in an effort to encourage the use of unique and strong passwords. Dropbox also requires two-factor authentication for all internal systems, Heim said.

Given that Dropbox has continued to grow and there have been no colossal security snafus (that we know about) the company appears to have gotten by largely unscathed. Online cloud storage services are frequent targets for hackers because of the variety of content stored. One of the most poignant examples is the massive private celebrity photo leak that happened in September 2014. Dropbox was not linked to that hack, and sources stress that the passwords contained in the 2012 breach do not appear to have been cracked. 

And again, this happened in 2012, when Dropbox was still a young company (worth only $4 billion, compared to its $10 billion valuation now). Hiccups like this occur, though for Dropbox to be so light on the details can be frustrating given the necessity of transparency during security breaches.

PSA: please enable two-factor authentication :(

More TechCrunch

Looking Glass makes trippy-looking mixed-reality screens that make things look 3D without the need of special glasses. Today, it launches a pair of new displays, including a 16-inch mode that…

Looking Glass launches new 3D displays

Replacing Sutskever is Jakub Pachocki, OpenAI’s director of research.

Ilya Sutskever, OpenAI co-founder and longtime chief scientist, departs

Intuitive Machines made history when it became the first private company to land a spacecraft on the moon, so it makes sense to adapt that tech for Mars.

Intuitive Machines wants to help NASA return samples from Mars

As Google revamps itself for the AI era, offering AI overviews within its search results, the company is introducing a new way to filter for just text-based links. With the…

Google adds ‘Web’ search filter for showing old-school text links as AI rolls out

Blue Origin’s New Shepard rocket will take a crew to suborbital space for the first time in nearly two years later this month, the company announced on Tuesday.  The NS-25…

Blue Origin to resume crewed New Shepard launches on May 19

This will enable developers to use the on-device model to power their own AI features.

Google is building its Gemini Nano AI model into Chrome on the desktop

It ran 110 minutes, but Google managed to reference AI a whopping 121 times during Google I/O 2024 (by its own count). CEO Sundar Pichai referenced the figure to wrap…

Google mentioned ‘AI’ 120+ times during its I/O keynote

Firebase Genkit is an open source framework that enables developers to quickly build AI into new and existing applications.

Google launches Firebase Genkit, a new open source framework for building AI-powered apps

In the coming months, Google says it will open up the Gemini Nano model to more developers.

Patreon and Grammarly are already experimenting with Gemini Nano, says Google

As part of the update, Reddit also launched a dedicated AMA tab within the web post composer.

Reddit introduces new tools for ‘Ask Me Anything,’ its Q&A feature

Here are quick hits of the biggest news from the keynote as they are announced.

Google I/O 2024: Here’s everything Google just announced

LearnLM is already powering features across Google products, including in YouTube, Google’s Gemini apps, Google Search and Google Classroom.

LearnLM is Google’s new family of AI models for education

The official launch comes almost a year after YouTube began experimenting with AI-generated quizzes on its mobile app. 

Google is bringing AI-generated quizzes to academic videos on YouTube

Around 550 employees across autonomous vehicle company Motional have been laid off, according to information taken from WARN notice filings and sources at the company.  Earlier this week, TechCrunch reported…

Motional cut about 550 employees, around 40%, in recent restructuring, sources say

The keynote kicks off at 10 a.m. PT on Tuesday and will offer glimpses into the latest versions of Android, Wear OS and Android TV.

Google I/O 2024: Watch all of the AI, Android reveals

Google Play has a new discovery feature for apps, new ways to acquire users, updates to Play Points, and other enhancements to developer-facing tools.

Google Play preps a new full-screen app discovery feature and adds more developer tools

Soon, Android users will be able to drag and drop AI-generated images directly into their Gmail, Google Messages and other apps.

Gemini on Android becomes more capable and works with Gmail, Messages, YouTube and more

Veo can capture different visual and cinematic styles, including shots of landscapes and timelapses, and make edits and adjustments to already-generated footage.

Google Veo, a serious swing at AI-generated video, debuts at Google I/O 2024

In addition to the body of the emails themselves, the feature will also be able to analyze attachments, like PDFs.

Gemini comes to Gmail to summarize, draft emails, and more

The summaries are created based on Gemini’s analysis of insights from Google Maps’ community of more than 300 million contributors.

Google is bringing Gemini capabilities to Google Maps Platform

Google says that over 100,000 developers already tried the service.

Project IDX, Google’s next-gen IDE, is now in open beta

The system effectively listens for “conversation patterns commonly associated with scams” in-real time. 

Google will use Gemini to detect scams during calls

The standard Gemma models were only available in 2 billion and 7 billion parameter versions, making this quite a step up.

Google announces Gemma 2, a 27B-parameter version of its open model, launching in June

This is a great example of a company using generative AI to open its software to more users.

Google TalkBack will use Gemini to describe images for blind people

Google’s Circle to Search feature will now be able to solve more complex problems across psychics and math word problems. 

Circle to Search is now a better homework helper

People can now search using a video they upload combined with a text query to get an AI overview of the answers they need.

Google experiments with using video to search, thanks to Gemini AI

A search results page based on generative AI as its ranking mechanism will have wide-reaching consequences for online publishers.

Google will soon start using GenAI to organize some search results pages

Google has built a custom Gemini model for search to combine real-time information, Google’s ranking, long context and multimodal features.

Google is adding more AI to its search results

At its Google I/O developer conference, Google on Tuesday announced the next generation of its Tensor Processing Units (TPU) AI chips.

Google’s next-gen TPUs promise a 4.7x performance boost

Google is upgrading Gemini, its AI-powered chatbot, with features aimed at making the experience more ambient and contextually useful.

Google’s Gemini updates: How Project Astra is powering some of I/O’s big reveals