The extent of a previously announced breach of Dropbox user data back in 2012 is now coming to light, and as Motherboard reports, in addition to users' email addresses, passwords were obtained and leaked along with other user information. Motherboard found one hacker in possession of the data dump from the "mega-breach," though it's unclear whether the leaked user info has been used for any nefarious purposes.
The Dropbox dump does not appear to be listed on any of the major dark web marketplaces where such data is often sold: the value of data dumps typically diminishes when passwords have been adequately secured.
Reportedly, SF-based Dropbox has taken security measures to re-secure passwords several times since 2012, and earlier this week forced password resets for users who still had unchanged passwords from 2012 so if you're wondering why you're being forced to change your password, now you know.
The Guardian reports that the extent of the hack came to light after security researcher Troy Hunt verified that his own and his wife's passwords were among the leaked data.
The original 2012 breach, per the Guardian, "appears to be the result of the reuse of a password a Dropbox employee had previously used on LinkedIn... [which] suffered [its own] breach that revealed the password and allowed the hackers to enter Dropbox’s corporate network."
That hack involved the account info of 117 million LinkedIn users, and as Motherboard discovered in May, one hacker was trying to sell the data on the dark web for $2,200, or five bitcoin. So clearly it's still making the rounds.