UPDATE: Dropbox reached out to Techvibes to encourage readers to read this blog post to clarify details about the issue.
Did Dropbox ask you to update your password last week? If so, you are one of 68 millions users whose data was stolen in 2012 and you haven’t changed your password since. The 2012 breach was downplayed by Dropbox at that time but came to light last week as the accessed information was more extensive than originally understood.
Vice’s Tech site Motherboard reported that “sources in the database trading community” accessed 5 GB worth of data containing e-mail addresses and hashed (protected) passwords for 68,680,741 Dropbox users.
The hack has also been confirmed Troy Hunt, the Australian security expert behind haveIbeenpwned.com: —who claimed to have seen the data: “There is no doubt whatsoever that the data breach contains legitimate Dropbox passwords.”
Last week Dropbox initiated a password reset for all affected users and claims this has solved the problem.
“We’ve confirmed that the proactive password reset we completed last week covered all potentially impacted users,” said Patrick Heim, Head of Trust and Security for Dropbox. “We initiated this reset as a precautionary measure, so that the old passwords from prior to mid-2012 can’t be used to improperly access Dropbox accounts. We still encourage users to reset passwords on other services if they suspect they may have reused their Dropbox password.”
Half of the passwords are secured with bcrypt’s hashing function and a salt; simply, random data added to a password in order to strengthen it. This means it is unlikely that hackers will be able to obtain many of the users’ actual passwords, and with the password update the dataset has little value to hackers at this point.