Including the passwords that are now obsolete
A data dump purported to contain 60 million Dropbox user IDs is the real thing, with the company confirming it to The Register, and independent verification from security researcher Troy Hunt.
However, apart from the existence of a file with user IDs and hashed passwords, the company believes nothing has changed since last week.
A spokesperson told The Register “We are confident that this is not a new incident; this data is from 2012, and these credentials were covered by the password reset”.
We’re also told there was no new breach of Dropbox systems.
The Register’s conversation with Hunt – operator of HaveIBeenPwned and security educator – bears that out to a degree, since while Hunt has identified his pre-2012 user ID in the list, the author’s post-2012 account is not in the 60 million records.
Hunt is currently preparing the data to load into HaveIBeenPwned, but believes it’s unlikely that anyone’s going to recover passwords anytime soon.
Testing his own password against he bcrypt hash demonstrates the file is real, Hunt said, although a definitive date is hard to prove.
The four files Hunt obtained extract to a bit more than 4.7 GB, he said, and while there’s 2.21 GB of SHA hashes, even those might pose a problem for an attacker, since they’re salted – the attacker would need the salts to decrypt the hashes.
Hunt will have the data loaded into shortly. ®
Sponsored: 2016 Cyberthreat defense report