Four years after a data breach at cloud storage service Dropbox, details of more than 68 million user accounts have reportedly been leaked.

Tech website Motherboard reported Tuesday that it obtained files containing the account details from sources in the database trading community and breach notification service Leakbase. The files contain email addresses and “hashed” passwords, which use an algorithm to protect the passwords, it said.

It was not previously known how many users were affected by the 2012 hack, according to Motherboard, which says that the leaked data does not appear to be posted on the dark web. A senior Dropbox employee told Motherboard that the data is legitimate.

The data dump was also verified by security researcher Troy Hunt.

“This is not a new security incident, and there is no indication that Dropbox user accounts have been improperly accessed,” said Patrick Heim, Dropbox’s head of trust and security, in a statement emailed to “Our analysis confirms that the credentials are user email addresses with hashed and salted passwords that were obtained prior to mid-2012.”

“Salted” passwords use random data as an additional layer of protection.

Dropbox recently launched a major password reset, prior to the dumped data becoming public.

“We can confirm that the scope of the password reset we completed last week did protect all impacted users,” Heim said. “Even if these passwords are cracked, the password reset means they can’t be used to access Dropbox accounts.”

Heim noted that the reset only affects users who signed up for Dropbox prior to mid-2012 and hadn’t changed their password since. However, he urged affected users who reused their passwords on other sites to protect themselves on those sites. “The best way to do this is by updating these passwords, making them strong and unique, and enabling two-step verification,” he said. “Individuals who received a notification from Dropbox should also be alert to spam or phishing.”

Two-step, also known as two-factor verification, is a method of bolstering users’ online security. In addition to a password, additional login data could be used, such as a code sent to a cell phone.

Josh Feinblum, vice president of information security at cybersecurity specialist Rapid7 praised Dropbox’s handling of the data breach. “Dropbox began taking proactive action to protect their users nearly a week before information about this leak became public,” he said, in a statement emailed to “Their customer-first approach was refreshing and likely mitigated a great deal of risk to their users.”

The Dropbox dump is just the latest in a string of high-profile data breaches. A hacker was reportedly looking to sell 117 million passwords from a 2012 LinkedIn breach on the dark web earlier this year. In June a hacker claimed to be selling 655,000 alleged patient healthcare records on the dark web, containing information such as social security numbers, addresses, and insurance details.

The dark web, or darknet, refers to private networks built from connections between trusted peers using unconventional protocols. Dark Web is just one part of what is known as deep web – a vast network which is not indexed by search engines such as Google and Bing.


Leave a Reply