Dropbox and Brazzers Passwords Hacked

Douglas Crawford

Douglas Crawford

September 9, 2016

A couple of weeks ago it was revealed that some 60 million Dropbox account details (including passwords) have been stolen. A couple of days ago nearly 800,000 accounts belonging to members of Brazzers, “the world’s most heavily used porno site!”, were dumped on the internet. Again, these details included usernames and plaintext passwords.

The Dropbox hack

Dropbox has forcibly required many of its users to reset their passwords and has sent an email to all users strongly advising that they reset their passwords.

The next time you visit, you may be asked to create a new password. We proactively initiated this password update prompt for Dropbox users who meet certain criteria.

It seems the details were obtained during a hacking “incident” dating back to 2012,

“Our security teams are always watching out for new threats to our users. As part of these ongoing efforts, we learned about an old set of Dropbox user credentials (email addresses plus hashed and salted passwords) that we believe were obtained in 2012. Our analysis suggests that the credentials relate to an incident we disclosed around that time.

KeePass 6

KeePass is a great open source cross-platform password a manager. Check out my review here

In its 2012 security update, Dropbox reported that an employee’s password had been stolen and used to access Dropbox users’ email addresses,

A stolen password was also used to access an employee Dropbox account containing a project document with user email addresses.

What Dropbox did not disclose at the time was that passwords were also stolen. Many of these were protected by an SHA1 hash function strengthened with random salt. Probably because SHA1 was still considered secure at the time, Dropbox appears to have been unconcerned at the theft of these passwords.

Unfortunately, SHA1 has now been shown to be much less secure than previously thought thanks to its vulnerability to collision attacks. Even back in 2012 however, it was known that SHA1 contained vulnerabilities, and Drobox had already begun transitioning to hashing passwords with the more secure bcrypt.

Motherboard has been able to confirm that 60 million Dropbox user account details have been dumped onto the internet. The passwords are still hashed, and around 32,000 of these are protected by bcrypt. The remaining passwords, however, are hashed using SHA1, and are therefore potentially vulnerable.

It is for this reason that Dropbox has forced a reset of all users’ passwords that date from 2012 or earlier. Unfortunately, most users do not change their passwords very often, so this covers a very high percentage of Dropbox’s customers.

The Brazzers Hack

790,724 unique Brazzers account details have been dumped on the internet. These include email addresses and associated passwords. In plaintext! These details were the result of a successful hack on Brazzers forum.


This is actually a separate website to the Brazzers porn portal, but apparently accounts belonging to users who never signed up to the forum were nabbbed, and have been released to the general public.

Motherboard managed to obtain a file containing these account details from, a website that specializes in monitoring data breeches. Troy Hunt, a security researcher who runs the ‘;–have i been pwned? website was then able to verify that the data was genuine by the simply expedient of contacting Brazzers members and asking them to confirm the details.

According to a Brazzers spokesperson,

This matches an incident which occurred in 2012 with our ‘Brazzersforum,’ which was managed by a third party. The incident occurred because of a vulnerability in the said third party software, the ‘vBulletin’ software, and not Brazzers itself.

That being said, users’ accounts were shared between Brazzers and the ‘Brazzersforum’ which was created for user convenience. That resulted in a small portion of our user accounts being exposed and we took corrective measures in the days following this incident to protect our users.

So what can you do to protect your passwords?

No matter how strong the password you use, if a website you are a member of is hacked and passwords stolen, then your account should be considered compromised. This especially true if passwords are held (and leaked) in plaintext!

You should therefore change it immediately!!! Have you done that? Then relax. No! But wait! Have you reused the same password on other websites and accounts? Then change them all too. Now!

Unfortunately far too many of us are guilty of this bad practice. It means that hackers (or in the cases above, the entire internet) will have full access to every other account that you use the same email address or password for. This might well include your bank account.

Use a password manager

Passwords (or even better, passphrases that use more than one word) should be long, random, and a unique one should be used to each account you have. But who can remember even one long random string of letters, numbers, and alphanumeric, let alone many of them?

The answer, of course, is that computers can! A good password manager program will:

  • Generate strong unique passwords for every website and account that you use
  • Protect these passwords using strong encryption
  • Allow you to access all your passwords by just remembering a single “master password” (be sure to choose a good one and not divulge it to anyone else!)
  • Allow you to access your passwords on whatever device and platform you use, and to sync passwords access devices and platforms.

Sticky Password 4

Sticky Password is my choice for best commercial password managers

Password managers are therefore not only invaluable security tools, but actually make your life easier. After all, it far easier to remember just one master password than lots of them, and your password manager will even autofill logins so you don’t need to type in your details each time!

Please check out my list of 5 Best Password Managers for some of the best password manager options available.

Use 2-factor authentication

One factor authentication requires a single step to verify your identity, such as knowing your username and password. 2FA provides another layer of protection against hackers by also requiring you to have something (for example your smart phone).


Two-step authentication is common in secure physical work places, where in addition to needing passcodes/doorcodes etc. (i.e. what you know), employees are required to carry a smartcard, USB thumbdrive, or similar physical object to prove what they have.


2faBy requiring proof of ‘what you know’ and ‘what you have’, two-factor authentication greatly improves security. In the above cases, for example, simply obtaining usernames and passwords would not be sufficient to access users’ accounts. If 2FA is available, then you should always take advantage of it, and going forward, hopefully more services will start supporting 2FA.

Your Information will never be shared with any third party.
Enter your email address to receive your Beginner's Guide to Online Security for Free
You'll also receive great privacy news and exclusive software deals!
Enter your email to get the ebook:
Your Information will never be shared with any third party.
Enter your email address to receive your Ultimate Online Privacy Guide eBook!
You'll also receive great privacy news and exclusive software deals!
Enter your email to get the eBook:
Special VPN Deal
Exclusive Offer
Get a Special Deal - 72% OFF!
With a biannual subscription
Exclusive Offer for Visitors!
50% Off Annual Plan
Limited Time Only
Exclusive price of
Exclusive Offer
Get NordVPN for only
Exclusive Offer
Get NordVPN for only