Millions of Dropbox users are being advised to change their passwords

Yes, hackers did steal account credentials in 2012.

Graham Cluley
Graham Cluley
@
@[email protected]
@gcluley

Millions of Dropbox users are being advised to change their passwords

Earlier this year, reports first began to appear that a historic data breach at Dropbox may have exposed tens of millions of user passwords, after a file claiming to contain millions of Dropbox account details was made available for anyone to download.

At the time, security commentators such as Brian Krebs, Troy Hunt and myself urged internet users to be wary of the claims – as they had not been verified.

After all, it seemed possible that the data had been collected from heavily-reported mega breaches at Tumblr, LinkedIn and MySpace.

Sign up to our free newsletter.
Security news, advice, and tips.

Now, however, Dropbox has confirmed to the media that a 5GB archive of files, containing the email addresses and hashed passwords for some 68,680,741 accounts, is genuine.

From Dropbox’s blog post on the incident:

“Our security teams are always watching out for new threats to our users. As part of these ongoing efforts, we learned about an old set of Dropbox user credentials (email addresses plus hashed and salted passwords) that we believe were obtained in 2012. Our analysis suggests that the credentials relate to an incident we disclosed around that time.”

Sure enough, Dropbox did warn that it suffered a security breach back in 2012, and that an undisclosed number of users’ email addresses were exposed – although the company made no mention at the time that hashed passwords may also have been put at risk.

Next time you log into Dropbox, the site will prompt you to choose a new password if it believes your credentials were at risk. Of course, it’s unlikely that 68 million people will have to do that as many may have already changed their passwords since the breach occurred in 2012.

My advice?

  • Enable two-step verification on your Dropbox account. Whether your Dropbox account has been put at risk or not, this is just a bloody good idea.
  • If you believe you might still be using the same Dropbox password as the one you were using in 2012, change it now. If you believe you might have reused that password anywhere else on the web, change it now.
  • Get out of the habit of reusing the same passwords. It’s a recipe for disaster. My recommendation is that you get yourself a decent password manager to generate and securely remember your passwords for you.

The point about not reusing passwords cannot be underlined enough. When Dropbox was breached back in 2012, it appears that their systems were compromised because one of their staff had made the mistake of… yes, you’ve guessed it… reusing passwords.

From Dropbox’s 2012 blog post:

A stolen password was also used to access an employee Dropbox account containing a project document with user email addresses. We believe this improper access is what led to the spam. We’re sorry about this, and have put additional controls in place to help make sure it doesn’t happen again.

And yes, you might well ask why a Dropbox employee might have had such easy access to a file containing users’ account details…

For more discussion of the dumped Dropbox data, read this blog post by HaveIBeenPwned’s Troy Hunt.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

5 comments on “Millions of Dropbox users are being advised to change their passwords”

  1. Bob

    Better still use a fully encrypted cloud storage account like: Tresorit, Tarsnap, Tahoe-LAFS or SpiderOak.

    By using a zero-knowledge provider you're taking back control of your data.

  2. Blair S.

    I've started incorporating the date I created a password in the password so I have some idea how old it is when large hacks like this occur.

    1. Bob · in reply to Blair S.

      Surely using a password manager would resolve this problem?

      A good password manager keeps a log of all passwords used for a particular website and the date and time each password was created. It also helps you create extremely secure passwords which you wouldn't be able to memorise (e.g. 8G2Vn9A0@7c9Q#4m753kM1).

      I can't see any benefit in your idea because if you're able to remember such a password then I assume you'd be able to remember roughly when it was created.

      If you're using a password manager then the software will store the date and time it was created making adding the date redundant.

      Is there something I'm missing?

      1. Cub · in reply to Bob

        I don't see that option (date when the password was created) in Lastpass. Where is it located?

        1. Bob · in reply to Cub

          I don't use LastPass and you haven't stated what platform you use it on.

          However they do have a "Password Strength" feature which also shows the age of the password in months. Have a look at this screenshot I found:

          http://cdn.makeuseof.com/wp-content/uploads/2014/07/LastPass-Chapter6-lastpass-security-details.jpg?f411a4

          Most good password managers give the full date and time – I'm surprised that LastPass (judging from the linked screenshot) only appears to give the number of months. That's good enough for most people though.

          There's an answered question on the LastPass website which offers you another method of finding the age of your password(s):

          https://lastpass.com/support.php?cmd=showfaq&id=1643

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.