Credential Attackshigh

Dropbox 2012: 68 Million Passwords Exposed Because an Employee Reused a Password

Dropbox suffered a credential breach in 2012 when an employee reused a password from LinkedIn (which had been breached). The intruder used the employee's Dropbox account to access a document containing user email addresses — and then used those to send spam.

Dropbox·2012·2 min read

Background

Dropbox had approximately 100 million registered users in 2012. A Dropbox employee used the same password on both Dropbox and LinkedIn. LinkedIn was breached in June 2012 (see LinkedIn breach), exposing hashed passwords. Attackers cracked the LinkedIn hash and found it matched the Dropbox employee's work password.

The Attack

With the Dropbox employee's credentials, attackers logged into Dropbox's internal systems and accessed a document containing user email addresses. They used the addresses to send spam. Dropbox initially described this as spam, not a breach. Deeper investigation revealed a full database breach: 68 million user email addresses and bcrypt/SHA-1 hashed passwords had been exfiltrated. The true scope was not revealed until 2016 when the data appeared for sale on dark web markets (the same time as the full LinkedIn dump).

Response

Dropbox forced password resets for all users who had not changed their passwords since mid-2012. The company notified users when the full scope became clear in 2016. Dropbox strengthened its own security including two-factor authentication and hardware security keys for internal access.

Outcome

The 2012 Dropbox breach was directly caused by an employee reusing a password from a breached service — a personal action with enterprise consequences. The 4-year gap between breach and full disclosure was noted as problematic. The case is now standard in security training about password reuse.

Key Takeaways

  1. Employees must not reuse passwords across personal and work accounts — corporate password compromise can flow from personal breaches
  2. Hardware security keys for employee access to sensitive systems prevent password-based attacks even when passwords are leaked
  3. Cloud storage services accessible via username/password can be compromised via stolen credentials from other services
  4. Mandatory password managers for all employees significantly reduce password reuse
password reuseLinkedIn breachcredential theftemployee credentialsdark web

More in Credential Attacks

2024critical

Snowflake Credential Theft: Ticketmaster, AT&T, and 160 Others Breached via Stolen Logins

2 min readCredential Attacks
2009high

RockYou: 32 Million Plaintext Passwords Teach the World About Password Storage

2 min readCredential Attacks
2019high

Collection #1: 773 Million Unique Credentials Dumped in One Post

2 min readCredential Attacks