Hackers stole account details of more than 68 million Dropbox users in a 2012 breach.
Dropbox previously disclosed the breach in 2012, but the number of compromised usernames and passwords was unknown until Breach notification service Leakbase provided Vice’s technology channel Motherboard with the information.
Last week, Dropbox began requiring people to come up with new passwords if they had signed up before mid 2012, when the breach occurred, and hadn’t changed their credentials since. This move, Dropbox said in a blog post last week, came as a result of the user information obtained in the 2012 breach.
“Our security teams are always watching out for new threats to our users. As part of these ongoing efforts, we learned about an old set of Dropbox user credentials (email addresses plus hashed and salted passwords) that we believe was obtained in 2012. Our analysis suggests that the credentials relate to an incident we disclosed around that time,” Dropbox wrote in the blog post.
According to a report from The Guardian, the 2012 breach likely occurred because a Dropbox employee used the same password to access the company’s network and the individual’s LinkedIn account. That password may have been obtained when LinkedIn itself was breached in 2012.