The 2012 breach: 68 million user credentials stolen via a reused password
2012 (disclosed in full 2016)
An attacker used a Dropbox employee's reused password to steal a file containing roughly 68 million users' email addresses and hashed passwords — a theft whose full scale only became public in 2016.
What happened
In 2012 attackers obtained the credentials of a Dropbox employee — a password the employee had reused on LinkedIn, which had itself been breached. Using that access, the attackers reached a document containing user email addresses and, as later became clear, a file holding the account credentials of around 68 million users.
At the time, in mid-2012, Dropbox acknowledged only that a stolen employee password had been used to access a project document containing user email addresses, which it linked to a wave of spam. The true scope stayed hidden until August 2016, when the full database of roughly 68 million credentials surfaced and was independently verified. The passwords were hashed — about half with the strong bcrypt algorithm and the remainder with salted SHA-1 — which slowed but did not eliminate the risk to users who had reused passwords elsewhere.
Impact
The 2012 breach became one of the largest credential theft incidents ever confirmed, and a case study in delayed disclosure: users did not learn the real magnitude for four years. It also underscored how a single employee's password hygiene could compromise tens of millions of accounts, and it pushed Dropbox to mandate password resets and accelerate two-factor authentication adoption.