Four years after a data breach at cloud storage service Dropbox, the company has now admitted that more than 60 million user logins have been spread across the internet, confirming earlier media reports.
Dropbox said in a statement late on Wednesday that the data of “60-plus million” of its users had been stolen, confirming a report by tech website Motherboard on Tuesday, which said that it had obtained files containing the accounts of 68 million Dropbox users on the internet.
The cloud service firm said it believed that the database – which includes usernames and encrypted passwords – was stolen in a breach in 2012.
“Our analysis confirms that the credentials are user email addresses with hashed and salted passwords that were obtained prior to mid-2012,” Dropbox head of trust and security Patrick Heim said in the statement.
The San Francisco-based company also claimed that there didn’t appear to be “any indication that users have been hacked after the data dump,” even though some of the data were now available for sale online.
Dropbox noted that it had completed a process of resetting passwords, including through a warning to users who signed up before mid-2012.
Due to the measure, Patrick Heim rejected calling the breach a “new security incident, saying: “The password reset means they can’t be used to access Dropbox accounts. The reset only affects users who signed up for Dropbox prior to mid-2012 and hadn’t changed their password since.”
The announcement comes as a major blow to Dropbox – one of the best-known unicorns yet to go public. The 9-year-old company is reportedly eyeing an initial public offering (IPO) in early 2017.
The company said it had 200,000 paying business customers, including the recently added Adidas Group, and 500 million registered users globally in the face of competition from Microsoft, Google, Apple and Box.
Last year Dropbox led the $2.43-billion worldwide market for file-sharing with a 25 percent share, according to research group IDC. Although it was not yet profitable, analysts said, the company was fully funded and had a positive free cash flow. However, the company’s lofty valuation of about $10 billion is much too high in the eyes of many analysts.
The Dropbox dump is just the latest in a string of high-profile data breaches. A hacker was reportedly looking to sell 117 million passwords from a 2012 LinkedIn breach on the dark web earlier this year. In June a hacker claimed to be selling 655,000 alleged patient healthcare records on the dark web, containing information such as social security numbers, addresses, and insurance details.
uhe/kd (Reuters, dpa)