Dropbox hack leads to 68 million password hashes dumped online

DB

Earlier in the week, Dropbox forced password resets after stumbling across user credentials online that it believes were stolen in a 2012 breach.

Our security teams are always watching out for new threats to our users. As part of these ongoing efforts, we learned about an old set of Dropbox user credentials (email addresses plus hashed and salted passwords) that we believe were obtained in 2012.

Our analysis suggests that the credentials relate to an incident we disclosed around that time.

You’ll need to update your password if you signed up to use Dropbox before mid-2012 and if you haven’t changed that password since then, Dropbox said.

The next time you visit dropbox.com, you may be asked to create a new password. We proactively initiated this password update prompt for Dropbox users who meet certain criteria.

Motherboard reports that it got its hands on files containing the email addresses and hashed passwords for the data set through what the publication says are sources in the database trading community.

It’s obtained four files – around 5GB in size – that contain details on 68,680,741 accounts. A senior Dropbox employee told Motherboard that the data is legitimate.

You’ll know that your Dropbox credentials were caught up in this theft if you receive an email from Dropbox, at the address on your Dropbox account. Plus, those affected can expect to be prompted to update their password the next time they visit dropbox.com.

Dropbox says this is all purely preventative. It’s seen no indication that accounts have been improperly accessed.

How do I protect my Dropbox account?

Dropbox is advising some security precautions that should sound familiar:

  1. Update any passwords you use on other sites, and make sure to use only one, unique password per site.
  2. Make those unique passwords strong. Here’s how.
  3. Consider turning on two-step verification. Here’s how to do it on Dropbox, and here’s why it’s a great idea.
  4. Only sign in to your account from secure devices, and always sign out if accessing your account on a non-personal device.