Earlier this year, reports first began to appear that a historic data breach at Dropbox may have exposed tens of millions of user passwords, after a file claiming to contain millions of Dropbox account details was made available for anyone to download.
Now, however, Dropbox has confirmed to the media that a 5GB archive of files, containing the email addresses and hashed passwords for some 68,680,741 accounts, is genuine.
From Dropbox’s blog post on the incident:
“Our security teams are always watching out for new threats to our users. As part of these ongoing efforts, we learned about an old set of Dropbox user credentials (email addresses plus hashed and salted passwords) that we believe were obtained in 2012. Our analysis suggests that the credentials relate to an incident we disclosed around that time.”
Sure enough, Dropbox did warn that it suffered a security breach back in 2012, and that an undisclosed number of users’ email addresses were exposed - although the company made no mention at the time that hashed passwords may also have been put at risk.
Next time you log into Dropbox, the site will prompt you to choose a new password if it believes your credentials were at risk. Of course, it’s unlikely that 68 million people will have to do that as many may have already changed their passwords since the breach occurred in 2012.
- Enable two-step verification on your Dropbox account. Whether your Dropbox account has been put at risk or not, this is just a bloody good idea.
- If you believe you might still be using the same Dropbox password as the one you were using in 2012, change it now. If you believe you might have reused that password anywhere else on the web, change it now.
- Get out of the habit of reusing the same passwords. It’s a recipe for disaster. My recommendation is that you get yourself a decent password manager to generate and securely remember your passwords for you.
The point about not reusing passwords cannot be underlined enough. When Dropbox was breached back in 2012, it appears that their systems were compromised because one of their staff had made the mistake of… yes, you’ve guessed it… reusing passwords.
From Dropbox’s 2012 blog post:
A stolen password was also used to access an employee Dropbox account containing a project document with user email addresses. We believe this improper access is what led to the spam. We’re sorry about this, and have put additional controls in place to help make sure it doesn’t happen again.
And yes, you might well ask why a Dropbox employee might have had such easy access to a file containing users’ account details…
For more discussion of the dumped Dropbox data, read this blog post by HaveIBeenPwned’s Troy Hunt.