Email and password data for more than 68 million Dropbox users is for sale in the darknet marketplace.

The data set, which is from a 2012 breach, includes users’ email addresses as well as obscured passwords. The nearly 5 gigabytes of data represents one of the larger user credential leaks in recent years. Its price is reportedly being set at two bitcoins, the equivalent of about $1,141 U.S. dollars, by a data trafficker on the darknet website TheRealDeal. There are no reports that the dataset has been sold yet.

Dropbox quietly announced the 4-year-old breach last week when it sent out a note to affected users informing them that they would be proactively resetting their passwords. They informed users that their accounts were being reset because the company had been notified about a possible threat. But the full extent of the massive breach was reported by Motherboard and confirmed by an unnamed senior Dropbox employee days later.

Dropbox was aware of a security breach in 2012 and told its customers, but says that the true scope and size of the hack was new information until last week. Patrick Heim, head of trust and security at Dropbox, said that the company felt it had taken sufficient preventative measures by proactively resetting passwords. Heim added that at this point, there is still no evidence that the users’ passwords have been successfully decoded and sold.

Hacked user credentials can be very valuable among data traders. Email and password data is typically bought and sold on the darknet, a tier of anonymous and largely untraceable Internet access that is often used for illegal activity such as drug or firearms trading. Large numbers of stolen user data can be integrated with software that automatically cycles though email/password combinations in order to hack into different websites. Given that many people reuse the same passwords on multiple websites, this can be a very effective method.

But the stolen passwords from However, at this time there is still no confirmation that any of the passwords have been successfully decoded and sold. It’s one reason why the reported value of the data, at two bitcoins, is so low.

“The value in bitcoin is a really good indicator of how valuable the hack really was,” said Bryan Seely, a cybersecurity expert and hacker at MGT Capital Investments. “Given how low the price is, I’d say the situation probably isn’t too bad.”

Only subscribers are eligible to post comments. Please subscribe or to participate in the conversation. Here’s why.

Use the form below to reset your password. When you've submitted your account email, we will send an email with a reset code.