Cloud-based file-manager Dropbox has admitted that the details of over 60 million accounts have been circulated online since a breach in 2012.
Motherboard first reported the breach, claiming that while individual users were informed of the breach at the time with forced password resets, the scale of user information circulating on the dark web has just become apparent.
At the time of the breach the company announced: “We learned about an old set of Dropbox user credentials (email addresses plus hashed and salted passwords) that we believe were obtained in 2012. Our analysis suggests that the credentials relate to an incident we disclosed around that time.”
It claimed: “Our investigation found that usernames and passwords recently stolen from other websites were used to sign in to a small number of Dropbox accounts.”
It did not admit that passwords were also leaked although the decryption upon them remains intact.
TechCrunch stated that the hack affected around three-fifths of the service’s user base at the time.
Joe Siegrist, chief executive of LastPass, said: "Humans are inherently bad at making passwords and continue to reuse passwords despite the obvious risks. Using unique passwords for all your online accounts ensures that if they’re leaked in a breach like this one, they can’t be used by hackers to get into any of your other accounts. If you’re not doing this, you’re doing it wrong.”