Dropbox confirmed Wednesday that a data breach discovered and disclosed in 2012 was bigger than previously known and according to one report could involve almost 69 million accounts.
The cloud-storage company said it reset the passwords last week of all affected users – people who signed up for accounts before the middle of 2012 and hadn’t changed their passwords since then. The company confirmed that more than 60 million accounts were affected. Vice’s Motherboard website earlier reported the figure.
“This is not a new security incident, and there is no indication that Dropbox user accounts have been improperly accessed,” Patrick Heim, head of trust and security at Dropbox, said in a statement. “We can confirm that the scope of the password reset we completed last week did protect all impacted users. Even if these passwords are cracked, the password reset means they can’t be used to access Dropbox accounts.”
While Dropbox sought to reassure users their accounts were safe, the incident was just the latest example of a technology company resetting only passwords of accounts they know for sure are compromised while leaving everyone else’s unchanged. Even highly sophisticated companies often don’t have a full accounting of what’s taken from them during a breach and their responses are often based on information hackers are selling online.
There’s no uniform approach to responding to hacking attacks, and companies have struggled with the legal and user-experience implications of resetting lots of people’s passwords at once.
EBay took an unusual tack after learning about a breach in 2014, when it emailed users with the suggestion they change their passwords, an approach that opened up its more than 145 million active buyers worldwide to phishing and other hacking attacks.
LinkedIn bungled its response to a breach the job-search site disclosed in 2012, when the company only reset the passwords of 6.5 million users whose information showed up on a hacker site, only later to have to disable the passwords of other users who might have been affected. In May, LinkedIn said it was reopening its investigation of the breach, which might have been even bigger than the company thought, involving potentially as many as 117 million accounts.