The 2012 hacking of the popular cloud storage firm Dropbox was a reminder to our modern society that users need to stop reusing passwords and companies need to be up-to-date with the most effective cybersecurity practices. The breach was found to be the result of an employee who had reused his password from LinkedIn, which previously suffered a cyber-attack in June 2012. However, it was not until last week that security notification service Leakbase found that passwords were also among the stolen intelligence.
Following the 2012 attack, Dropbox reported that only their users’ email addresses had been stolen. The issue here is whether or not Dropbox was aware the compromised data included passwords and if so, why it failed to notify their clients in a timely manner. To be sure, if Dropbox was aware of the stolen passwords, companies that use Dropbox for legal and financial purposes will surely file suit.
Last week, Dropbox sent out notifications recommending that all 68 million compromised users, who have not changed their password since 2012, update their passwords immediately. At the time of theft, Dropbox was in the process of upgrading their encryption from the SHA1 standard to a more data secure standard, called bcrypt. Independent security researcher and victim of the Dropbox attack, Troy Hunt, verified that the updated protection “is very resilient to cracking and…all but the worst possible password choices are going to remain secure even with the breach now out in the public.” Another possible prevention that leading security experts are advocating for is the use of credible password managers to secure uniquely complexed passwords needed for daily life.