The company protected its user passwords by hashing and salting them, meaning that hackers who had come by the hashed files that belonged to Dropbox's users were not able to crack them.
However, security expert Troy Hunt, who specialises in tracking data breaches such as this, said that "without a shadow of a doubt, the data was taken from Dropbox's system".
This latest development indicates that the 2012 breach had the potential for far more fallout than Dropbox initially revealed to users.
Last week, Dropbox users received emails saying customers who signed up for the service prior to mid-2012, and had not changed their password since then, would be forced to do so the next time they signed in.
According to Motherboard, the credentials of 68,680,741 Dropbox users were compromised in the leak.
Other data in the database included usernames, email addresses, join date, and other internal records including campaign hits, banned users, newsletter details, used invites, web player details, and similar. (Obviously, if you've already changed your password, there's no need to do so again willy-nilly.) Dropbox previously disclosed the attack, but the full scope of the breach has only recently become known: 5 GB of documents containing email addresses and hashed passwords for over 68 million users.
"Not only was the password itself solid, but the bcrypt hashing algorithm protecting it is very resilient to cracking and frankly, all but the worst possible password choices are going to remain secure even with the breach now out in the public", Hunt noted. We recommend that you create strong, unique passwords, and enable two-step verification.
The company said it had no indication that any of its user accounts were improperly entered, and that it had notified the users and made them reset their passwords on the accounts.
I have a new password added to my others.
These things happen in today's world. My thanks to the leaders of Dropbox for releasing the information.