Exactly 7 days ago, I received an email from Dropbox asking me to change my password:
We’re reaching out to let you know that if you haven’t updated your Dropbox password since mid-2012, you’ll be prompted to update it the next time you sign in. This is purely a preventative measure, and we’re sorry for the inconvenience.
To learn more about why we’re taking this precaution, please visit this page on our Help Center. If you have any questions, feel free to contact us at firstname.lastname@example.org.
The Dropbox Team
Though the language is benign, it meant that a security breach has happened at Dropbox. Two days ago, it was confirmed on The Hacker News:
Hackers have obtained credentials for more than 68 Million accounts for online cloud storage platform Dropbox from a known 2012 data breach.
Dropbox has confirmed the breach and already notified its customers of a potential forced password resets, though the initial announcement failed to specify the exact number of affected users.
However, in a selection of files obtained through sources in the database trading community and breach notification service Leakbase, Motherboard found around 5GB of files containing details on 68,680,741 accounts, which includes email addresses and hashed (and salted) passwords for Dropbox users.
An unnamed Dropbox employee verified the legitimacy of the data.
So if you haven’t changed the password on your Dropbox account, it is high time to do so NOW. Aside from using a strong password, keep it unique to Dropbox so that in case Dropbox gets hacked again, the potential security risk to you would be limited to just your Dropbox account.
I already changed mine even though I rarely use Dropbox. 🙂