Dropbox hackers have stolen 68 million passwords - here's how to protect yourself
Published 01/09/2016 | 09:43
A huge cache of personal data from Dropbox that contains the usernames and passwords of nearly 70 million account holders has been discovered online.
The information, believed to have been stolen in a hack that occurred several years ago, includes the passwords and email addresses of 68.7 million users of the cloud storage service.
Dropbox confirmed that the credentials were stolen in a hack that occurred in 2012 when hackers used stolen employee login details to access a document containing the email address and passwords of users. The number of users affected by the hack was not known until now, and the company had previously said only email addresses were taken - not passwords.
"This is not a new security incident, and there is no indication that Dropbox user accounts have been improperly accessed," said Patrick Heim, the head of trust and security at Dropbox.
The company discovered the details for sale online when it was conducting routine security work. Motherboard then revealed the exact number of affected users after it gained access to the full set of data.
Dropbox, which has around 500 million registered users, is the fourth major company this year to have found user credentials stolen in a 2012 hack circulating online. MySpace and LinkedIn both confirmed in May that hundreds of millions their users' of passwords and email addresses stolen in 2012 hacks were for sale online.
Earlier this month Yahoo said it was investigating reports that 200 million of its users accounts were up for sale, allegedly taken in a hack that was previously unreported.
Does the hack affect me?
In response to the discovery, Dropbox has prompted users who may have been affected by the hack to reset their passwords.
This includes anyone who signed up to Dropbox before the middle of 2012 and has not changed their password since then.
How to protect yourself
If you think you may have been affected by the breach, login to your Dropbox account and see if it prompts you to update your details.
As Dropbox had taken measures to ensure that its users' passwords were kept securely, the chances of them being in the hands of hackers is slim. The company had "hashed" and
"salted" the details, which means that they were scrambled and had a random string added to them that can only be deciphered using a cryptographic key.
To keep its users' passwords secure, the company has also updated the way it stores its passwords multiple times since 2012.
"Even if these passwords are cracked, the password reset means they can't be used to access Dropbox accounts," said Heim.
If you think your current password was stolen, it could be used to access other accounts that you use the same login details for online.
To protect yourself from being hacked again, change your passwords and turn on two-step verification. Security experts advise people to never use the same password more than once and to use a string of letters and numbers that is difficult to guess.
The breach also includes usernames, which hackers could use in spam and phishing attacks. Dropbox warned users who received its password reset notification to be extra-alert if they receive suspicious emails.
Fake emails often contain tell-tale signs such as spelling mistakes and grammatical errors. If you're uncertain about the source of an email make sure you don't click on any links or provide the sender with any sensitive information. It is also advised that you don't call a phone number provided in a suspicious message.
To shore up your safety online, when you receive an email asking you to check your account manually type the company's website into your browser rather than clicking on a link, which could take you to a fake version of the site.