For those of you who got a prompt from Dropbox recently to update your password, we now know the reason why: more than 68m passwords linked to Dropbox accounts were compromised in a data breach.
A few days ago, Dropbox got in touch with users who had failed to change their passwords since 2012, citing a suspected breach from four years ago. The forced change of passwords was a sound decision, if a little overdue.
Now, details about the breach have emerged, with Motherboard reporting that millions of accounts were compromised.
“Not just a little bit hacked,” said security expert Troy Hunter, “but proper hacked to the tune of 68m records.” Hunter runs the Have I been pwned site, which lets people investigate if their emails have ever been hacked, and he verified Motherboard’s own findings.
“There is no doubt whatsoever that the data breach contains legitimate Dropbox passwords,” he said.
Back in 2012, when the breach happened, Dropbox was quite coy about it all, saying its investigation found usernames and passwords stolen from other websites were used to sign in “to a small number of Dropbox accounts”.
“We’ve contacted these users and have helped them protect their accounts,” said the company at the time.
However, despite the scale of the problem, of the 68,680,741 accounts compromised, around 32m had passwords to a high enough standard as to make their details less valuable on the dark web.
Better yet, Dropbox’s move to force-reset passwords that had gotten dusty on the shelf appears to have done the trick, with Hunt lauding the company’s approach.
The full suite of compromised login credentials have been added to Hunt’s Have I been pwned service, so it’s probably worth checking to see if your details are there.
“All but the worst possible password choices are going to remain secure even with the breach now out in the public,” said Hunt. But it’s best to double check, and change your password.
Main Dropbox image via iJeab/Shutterstock