Earlier this week, Dropbox reset user passwords for all accounts that hadn’t changed them since 2012, following its discovery of a file containing hashed and salted passwords that were obtained in a previous security breach.
Now, Motherboard reports that the company’s systems were hacked in 2012, and the attackers were able to get away with 68 million usernames and passwords. The legitimacy of the data was verified by Motherboard and vouched for by security expert Troy Hunt.
If you hadn’t changed your password since mid-2012, there’s not much reason to worry: since Dropbox forced a password reset on those accounts, the old one hackers found in the file wouldn’t be of any use. In addition, 32 million of the passwords were found to be strongly hashed using bcrypt, while the rest used the slightly weaker SHA-1 algorithm. The passwords had also been salted, i.e. appended with a random string of characters to obscure them further.
However, if you’ve used the same email address and password combination on other services, you’ll want to change those right away. It’s common for hackers to try using credentials from one company breach on other services and accounts.
2016 has not been a good year for online security. Earlier this year, 32 million Twitter passwords were put up for sale on the Deep Web for just $5,807; in May, 117 million LinkedIn account details were available for $2,200, and 45 million users’ credentials were stolen from numerous forums operated by a single company.
If you’re concerned about the safety of your online accounts, now would be a good time to try out a password manager like 1Password and enable two-factor authentication on every service that offers it.