Dropbox employee’s password reuse led to theft of 60M+ user credentials

Dropbox disclosed earlier this week that a large chunk of its users’ credentials obtained in 2012 was floating around on the dark web. But that number may have been much higher than we originally thought.

Credentials for more than 60 million accounts were taken, as first reported by Motherboard and confirmed by TechCrunch sources. The revelation of a password breach at Dropbox is an evolution of the company’s stance on the 2012 incident — the company initially said that user emails were the only data stolen.

Here’s the exact phrasing from the 2012 blog post:

A stolen password was also used to access an employee Dropbox account containing a project document with user email addresses. We believe this improper access is what led to the spam. We’re sorry about this, and have put additional controls in place to help make sure it doesn’t happen again.

Dropbox disclosed in 2012 that an employee’s password was acquired and used to access a document with email addresses, but did not disclose that passwords were also acquired in the theft. Because Dropbox stores its user passwords hashed and salted, that’s technically accurate — it seems that hackers were only able to obtain hashed files of Dropbox user passwords and were unable to crack them. But it does appear that more information was taken from Dropbox than was previously let on, and it’s strange that it’s taken this long for the breach to surface.

According to a Dropbox source, in addition to the user emails initially disclosed in 2012, a batch of hashed passwords associated with those emails was also taken. At the time of the breach, Dropbox was moving away from using the hashing function SHA-1, a standard algorithm at the time, and replacing it with the more robust standard called bcrypt. Some of the stolen passwords were hashed with SHA-1, while 32 million were hashed with bcrypt, Motherboard reports. The passwords were also secured with a salt, a random data string added to strengthen the hash. Even though these passwords have now been dumped online, it does not appear that the hash protections have been cracked.

How the startup economy is replacing the traditional resume

A group of five engineers and product people get together, raise some angel funding, build astartup, make little to no money and sell for $10 million. What just happened? Common narratives assert that it’s the tech bubble; it’s a naive acqui-hire; it’s collective irrationality.

Maybe it’s something else altogether: a fundamental shift in how we compensate the extreme top end of the labor pool.

About a decade ago, before the latest tech boom, many of the best and brightest college grads started their careers on Wall Street. Today, they increasingly set their sights on Silicon Valley, the new economic hub of America — where, despite the cultural emphasis on idealism and changing the world, like Wall Street, the promise of money and power alluring young, smart people is widespread.

The similarities don’t end there. Technology, like finance, relies on scale and convexity of returns to thrive. Billion-dollar hedge funds are often run by a half-dozen people. Likewise, a few engineers can build a billion-dollar product. In this way, both industries are incredibly labor efficient. As the saying goes, one great engineer is worth 10 good engineers.

This creates an enormous incentive to hire the best, and, conversely, a massive cost to hiring poor performers. Furthermore, we are still in the early stages of the technological revolution, and in this wild west, where large companies are fighting for relevance and long-term market share, hiring decisions can have long-lasting impacts that cascade into the future.

Unlike finance, however, in tech it’s harder to identify and compensate value drivers — namely engineers, designers and other product people. In MBA-speak, this is because bankers and traders are revenue centers, whereas engineers and designers are cost centers. In the world of banking, your contribution to the bottom line is easily measured. In many cases, identifying stars in your business is as simple as “show me the money.”

On the other hand, the contribution of an engineer to an overall project, and the success of that project to the overall viability of the business, is much more opaque. A trader is worth as much as the money he made on his last trade. How much is a specific engineer on an infrastructure analytics team worth?

Hiring decisions can have long-lasting impacts that cascade into the future.

The tech world is still discovering what compensation for its elites looks like. Never before has a cost center wielded so much leverage and power over the bottom line of an entire industry. The pharmaceutical industry, for instance, also stands on the shoulders of its product (R&D), but the friction and cost of building a pharma startup is typically too high to throw something together in a garage, so while the contribution of the R&D team is high, their bargaining power against their employer is not.

All this creates an interesting incentive system. Employers want to hire the best and are more than willing to pay for it, but information asymmetry and bargaining power of elite employees make that a challenge. The Googles of the world can and would pay exorbitant amounts for a star coder, but when it comes to new grads from Stanford, for instance, they can’t measure, let alone predict, who will be a star — at least not enough to justify a million-dollar signing bonus.

The incentives of young, smart, ambitious people in technology are equally misaligned with conventional labor models. You could join an established company and spend years proving your worth and politicking to ensure that that worth is recognized, and ultimately still likely be underpaid for your contributions should they be extraordinary. Or, instead, you could build a startup, where, if successful, you’ll earn a lifetime’s worth of salary in a matter of a few years