Reg comments28

Dropbox: Leaked DB of 68 million account passwords is real

Login details are strongly hashed and date back to 2012

A leaked database purported to contain login information for 68 million Dropbox accounts is the real deal. The cloud biz confirmed the authenticity of the records to The Register, with independent verification from IT security guru Troy Hunt.

The archive, which is being shared online, contains Dropbox user IDs and hashed passwords stolen by hackers in 2012. Today's confirmation follows a mass reset of passwords by Dropbox last week when copies of the database started surfacing on the internet.

A spokesperson told The Register: “We are confident that this is not a new incident; this data is from 2012, and these credentials were covered by the password reset.”

The Register's conversation with Hunt – the operator of HaveIBeenPwned and a security educator – bears that out to a degree: while Hunt has identified his pre-2012 user ID in the list, your humble hack's post-2012 account is not in the nearly 70 million records.

Hunt is preparing the data to load into HaveIBeenPwned, an alert system to let people know when account details have been stolen and spilled on the web. He believes it's unlikely that anyone's going to recover passwords anytime soon from the stolen hashes.

The four files of account records Hunt obtained extract to a bit more than 4.7GB, he said. About half of the hashes are scrambled by the strong algorithm bcrypt using a salt that's included in the dump. These will be tough to crack.

The other half are salted and hashed using the weaker SHA algorithm, however the salt is not included in the dump, thus making it difficult for an attacker to crack the hashes using a rainbow table. ®

Sign up to our Newsletter

Get IT in your inbox daily

Biting the hand that feeds IT © 1998–2017