Dropbox account details compromised and available online

Credentials from a 2012 Dropbox data breach are now available online. While credential details associated with these accounts were available for purchase on the “Darknet” earlier this year, they are now freely available for download.

Media reports have recently emerged that indicate email addresses (and hashed passwords) for 68,680,741 Dropbox accounts are now publicly available. Of this number, approximately 120,000 are “.nz” domains.

Dropbox have confirmed that credentials were compromised in 2012 when actors used stolen employee login details to access a database containing the email addresses, passwords and other details of users.

The NCSC assesses that the threat to New Zealand entities is low. Since the 2012 breach, the affected accounts have had an enforced password change. Additionally due to the passwords being hashed and salted, it is very difficult for the passwords to be cracked.

While the risk is low, as with all passwords, the NCSC recommends:

  • Using complex passwords;
  • Using two-factor authentication where possible;
  • Consider using a password manager tool; and
  • Making sure your devices and/or accounts are secured with different passwords.

The NCSC can be contacted by email via incidents@ncsc.govt.nz or by phone on:04 498 7654. We encourage you to contact us at any time if you require any further assistance or advice.