We get it, companies get hacked all the time. And they’re not too eager to share details about data breaches, but they ultimately have to release details about it so that affected users can protect themselves. At least, they should disclose details. But Dropbox failed to do so, hiding for no less than four years the magnitude of a data breach that may have affected up to 68 million accounts.
The company asked users last week to change their passwords if their accounts dated back to mid-2012. The company acknowledged the hack that took place four years ago, but it didn’t say how many users were compromised, Ars Technica reports.
The scale of the attack is impressive, suggesting that hackers knew what they were doing. Motherboard obtained four files totaling 5GB in size from sources in the “database trading community,” that contained email addresses and hashed passwords for more than 68 million Dropbox users.
A senior Dropbox employee said that the data was legit. Security expert Troy Hunt, who’s behind the haveIbeenpwned.com site, also said the data is legit.
Dropbox admitted to the hack and confirmed email addresses and “hashed and salted passwords” were stolen, but it never disclosed the number of affected accounts. The company also said that there was no indication that Dropbox user accounts have been improperly accessed.
Meanwhile, Dropbox confirmed to Ars that the hack did indeed affect more than 60 million users: “We can confirm that based on our intelligence number we have seen is in the 60+ mil range.”