The Guardian informed in August that in 2012 the popular cloud storage firm Dropbox had been hacked. The data stolen, that includes encrypted passwords and details of around two-thirds of cloud's firm costumers, has been now leaked.
Although the attack took place during 2012, Dropbox did not report that the passwords had been stolen until all this info has been leaked. Is it an act of corporative irresponsibility?
In the moment of the data theft (68 milions user's emails adress and passwords), back in 2012, Dropbox only reported a collection of user's email adress had been stolen but said nothing about the passwords. But the dumb of passwords came to light when the security notification service Leakbase picked it up and sent it to Motherboard, a well-known magazine about technology.
Troy Hunt, independent security researcher and operator of the Have I been pwned? data leak database, verified the data and discovered his account details in the leak. Hunt declared that "there is no doubt whatsoever that the data breach contains legitimate Dropbox passwords, you simply can't fabricate this sort of thing". Dropbox, that in that time had 100 milions customers, has now sent out notifications to all users who had no changed their passwords since 2012 and is working on upgrading the encryption of the passwords.
The hackers could enter Dropbox's corporate network after a Dropbox employee reused a password that had previously used on Linkedin. In order to calm thier users, a Dropbox spokeperson has said: "We can confirm that the scope of the password reset we completed did protect all impacted users".
But the question here is, should Dropbox had informed in 2012 that passwords had been stolen and not only email adresses? Cyber attacks are not only a security problem but also a corportative image important problem depending on how you handle the situation.