In August, Motherboard reported that hackers had stolen over 60 million account details for online storage platform Dropbox. The details were from a previously disclosed breach, but the true scale of the hack had not been previously revealed.
Now, anyone can download the email addresses and hashed passwords for 68,680,741 accounts totally for free. On Monday, Thomas White, also known as The Cthulhu, uploaded the full dump onto his website, a move that he says is to help researchers examine the breach.
“I have assisted to keep this breach public for those who are struggling to find a reliable source for research,” White writes on his site. White has previously mirrored other large data breaches, including emails and files from affairs site Ashley Madison, user accounts for Myspace, and a slew of other sites as well.
Nearly 32 million of the Dropbox passwords are secured with the strong hashing function bcrypt, meaning that hackers are unlikely to obtain many of the users’ actual passwords. The rest of the passwords appear to be hashed with SHA-1, another algorithm, and along with a salt: a random string of characters added to strengthen the result. However, the dump doesn’t seem to include the salts, making it much harder for hackers to learn many of those real passwords either.
A spokesperson previously told Motherboard that the company has seen no evidence of malicious access of these accounts. The breach occurred back in 2012.
In September, a data dealer was selling the Dropbox dump on the dark web for around $1200.
Data breaches are sometimes publicly distributed after they have gone on sale. This summer, years old, and truly massive, dumps of Myspace, LinkedIn, and other sites emerged. The data was sold on the dark web, and then were made freely available for anyone to download.