Dropbox says 68 million user IDs stolen

Dropbox believes the credentials were taken in 2012. It learned of the theft only two weeks ago after the 68 million user credentials were posted online.
Dropbox believes the credentials were taken in 2012. It learned of the theft only two weeks ago after the 68 million user credentials were posted online.PHOTO: BLOOMBERG

WASHINGTON (AFP) - Cloud-based data storage company Dropbox said on Thursday (Sept 1) that user IDs and passwords of some 68 million clients were stolen four years ago and recently leaked onto the Internet.

The company said it had no indication that any of its user accounts were improperly entered, and that it had notified the users and made them reset their passwords on the accounts.

The company learnt of the theft of the data only two weeks ago after the 68 million user credentials were posted online, but indicated it still does not know how or by whom.

"The list of e-mail addresses with hashed and salted passwords is real, however we have no indication that Dropbox user accounts have been improperly accessed. We're very sorry this happened and would like to clear up what's going on," the company said in an e-mailed statement.

Dropbox believes the credentials were taken in 2012. After learning of the problem, it said, "we then e-mailed all users we believed were affected and completed a password reset for anyone who hadn't updated their password since mid-2012".

"This reset ensures that even if these passwords are cracked, they can't be used to access Dropbox accounts."

Dropbox warned users that if they had signed up for its services before 2012 and had used the same password elsewhere, they should change that as well to protect the account.

"Also, please be alert to spam or phishing because e-mail addresses were included in the list," it said.

Dropbox early this year reported it had more than 500 million users who store and share business files, pictures and video, and all sorts of other data on its cloud servers.