When the credentials of countless Dropbox users leaked in 2012, Dropbox had to scramble to protect their users. However, it recently came to light that a large chunk of the data stolen was discovered on the dark web, and the number of users affected is much larger than they thought.

Dropbox protects its user passwords by hashing and salting them. For non-techies, this means that hackers that got a hold of the hashed files should not have been able to crack them.

However, sources have now stated that the information taken from Dropbox was much more than the company publicly admitted to its user base. Not only were the hashed passwords taken by hackers, but the emails of the users were taken as well.

Motherboard has reported that 68,680,741users have been compromised by the leak.


At the time of the leak, Dropbox was using bcrypt, a broad and powerful hashing method when compared to the standard algorithm of time, named SHA-1. 32 million passports were reported to have been hashed using bcrypt at the time of the leak. The passwords also had an additional layer of security in a salt method, which is a randomly generated data string.

In November 2012, Drew Houston, head of Dropbox, stated that the company had doubled its number of user accounts, in spite of the leak.

Some sources pointed out that hackers were able to use an employee’s password that was reused from the LinkedIn leak, which also occurred in 2012 and was a major compromise from a well-known company. Some of the blame has been pointed at password reuse by users. The company has cracked down on their employees when it comes to that issue, as well as implementing better security methods to protect against future issues.

Users are advised to change their passwords as a safety precaution.