In 2012, hackers stole over 60 million account details for Dropbox, Motherboard reported, and on Wednesday, independent security researcher Troy Hunt verified that over 68 million users' emails and passwords have been dumped online — including his and his wife's.
"There is no doubt whatsoever that the data breach contains legitimate Dropbox passwords, you simply can't fabricate this sort of thing," Hunt said in a post.
Since the data dumped was from a 2012 breach, Dropbox users who have changed their passwords since then aren't vulnerable to the hack. Dropbox notified all of its users last week of the security issue, informing them that it was forcing passwords resets, Motherboard reported. But if you are in the habit of reusing the same password across different accounts (don't do that), you should change your other passwords that are identical to the one you used that may have been dumped courtesy of the 2012 Dropbox breach.
"We've confirmed that the proactive password reset we completed last week covered all potentially impacted users," Patrick Heim, Dropbox's head of trust and security, told Motherboard. "We initiated this reset as a precautionary measure, so that the old passwords from prior to mid-2012 can't be used to improperly access Dropbox accounts. We still encourage users to reset passwords on other services if they suspect they may have reused their Dropbox password."
The 2012 Dropbox breach seems to be a result of the aforementioned bad habit — a Dropbox employee used the same password for his LinkedIn and Dropbox account, and following a breach into the LinkedIn network, a hacker was able to use their password to get into Dropbox's network, the Guardian reported.
As a user, you should make sure your passwords across different services are all complex and different from one another — and while password managers have been touted as great tools to help securely store your cache of complex passwords, as the Guardian notes, not even password managers are safe. Hope you've got a remarkable memory.