A hack of online storage provider Dropbox Inc. in 2012 has been revealed to be much larger that previously disclosed, with the details of some 68 million account holders finding their way online.

Motherboard obtained a selection of files that were being traded on a “database trading community” (likely on the dark web), and found that across four files that came in at 5GB contained details of email addresses and hashed passwords for 68,680,741 Dropbox users.

Well regarded researcher Troy Hunt also confirmed the validity of the data posting details that included his own Dropbox account, and that of his wife.

When the hack first became public Dropbox stated, “Our investigation found that usernames and passwords recently stolen from other websites were used to sign in to a small number of Dropbox accounts.”

Of note, at the time the company blamed the hack on an employee’s password being obtained and apologized for the massive failure of internal security. But as it turns out, Dropbox wasn’t exactly telling the whole truth when it came to the size of the hack.

Dropbox users with passwords set up in 2012 or earlier have been advised by the company that they will be forced to reset their passwords stating:

We’re reaching out to let you know that if you haven’t updated your Dropbox password since mid-2012, you’ll be prompted to update it the next time you sign in. This is purely a preventative measure, and we’re sorry for the inconvenience

The decision to force a password changed was welcomed by security experts with Rapid7 Inc. Vice President of Information Security Josh Feinblum telling SiliconANGLE via email “Dropbox began taking proactive action to protect their users nearly a week before information about this leak became public. Their customer-first approach was refreshing and likely mitigated a great deal of risk to their users.”

“Their response to a challenging event is a great model for other cloud companies to follow if faced with a similar situation,” he added. “It’s our belief that the open dialogue about security that companies like Dropbox are promoting about risk, mitigation, and action will help to strengthen the security and technology communities.”

Warnings

Others weren’t as positive in their reaction to the news, with Mimecast Ltd. Cybersecurity Strategist Matthew Gardiner telling SiliconANGLE that Dropbox represents a security risk within the enterprise.

With the recent confirmation that hackers stole account details for more than 60 million Dropbox users, it is fair to say that Dropbox is a wide-open hole in many organizations’ networks. Companies need to arm their employees with secure alternatives to share large files that work at the enterprise level. If employees don’t have a better option, they end up using a variety of vendors and creating multiple accounts, none of which are being securely monitored.

The biggest threat with employees using file sharing programs like Dropbox is that once an account is compromised, it can be used as an attack vector for delivering malicious links to a network. Although it would look like the email came from someone that the employee knows, it could end up being malware or ransomware that has the potential to take down an organization’s entire system.

Peter Tran, general manager and senior director at RSA LLC, the security division of EMC, agreed with Gardiner, telling SiliconANGLE that the news means it’s time that security in the cloud was properly addressed.

The Dropbox hack represents a “fire alarm” the industry in general has repeatedly ignored and its time to face the realities of security in the cloud. Out of the top 5 drivers for cloud adoption, security has often been cited as an advantage for consumers. How can this possibly be reality given approximately 41% of the top 29 cloud providers do not use 2-factor authentication (2FA) and rely on user name/passwords as its main access control for its consumers?

This is an alarming reality for both public and private cloud infrastructures and its user base. Given in 2016 alone, over 50% of all data created by organizations is currently or will be stored in the cloud in some form. It’s the new frontier for nation state and other cyber criminals to target consolidated “data farms” like Dropbox. From a hacker’s view, it’s like opening up a “Cracker Jack” box, dumping out the popcorn to get the prize, only in this case, multiply that by about 70 million! Cloud is quickly becoming the one stop hacker shopping given the interdependencies of mobile platforms, app driven accessibility, and cross functional “As-A-Service” enterprise and consumer functions.

Users are advised to change their Dropbox passwords if they have not done so already.

Image credit Dropbox.