Last week, longtime users of the cloud storage service Dropbox received a curt email explaining that the company was resetting their passwords. “This is purely a preventative measure, and we’re sorry for the inconvenience,” the email read in part. A link in the message directed users to a page laying out the issue in a little more detail. The company's security team, it calmly explained, had recently “learned about an old set of Dropbox user credentials (email addresses plus hashed and salted passwords) that we believe were obtained in 2012.” Dropbox provided few additional details, but now the story is coming together more clearly—and it’s big.
On Tuesday, Motherboard reported that more than 68 million accounts had been compromised in the breach and that the data was circulating. Motherboard’s Joseph Cox wrote that the publication had “obtained a selection of files containing email addresses and hashed passwords.” Troy Hunt of the site Have I Been Pwned, which helps users determine whether their information has been compromised in a data breach, subsequently confirmed that the files were real. “There is no doubt whatsoever that the data breach contains legitimate Dropbox passwords,” Hunt wrote.
While this breach is hardly the largest on record—that would probably be the time hackers compromised 360 million MySpace accounts—it’s still significant. Fortunately, the news isn’t all bad: According to Motherboard, many of the leaked Dropbox passwords are protected by a strong hashing function, and the remainder are also encrypted. In other words, your old password isn’t just floating around in plain text form. Furthermore, as Dropbox noted on the explanatory page it linked to from its initial email, “Based on our threat monitoring and the way we secure passwords, we don't believe that any accounts have been improperly accessed.”
So, here’s where we stand: Even if you haven’t changed your Dropbox password in a while (and there are good reasons why sites shouldn’t make you change your login credentials all the time), your data is probably safe. You don't even need to go and change your password right away, since the company has already proactively changed it if you haven't done so since mid-2012.
But that doesn’t mean you should just ignore this incident and move on. As Dropbox itself points out, it’s probably a good idea to set up two-step verification on the site. If you think you might have reused your Dropbox password on other sites, though, it’s probably a good idea to go change those as well. And, as always, this is probably a good time to set up a password manager if you haven’t already.