The hack of Dropbox was actually in 2012, but it is only becoming known now, that the number of affected customers was more than 68 million. Dropbox is quick to reassure customers that none of the accounts were accessed improperly, and that the forced password change which was implemented, was able to prevent mas data exploitation by malicious actors.
The reason the number of affected accounts is only now becoming clear, is because Dropbox never released the number back in 2012 when the hack was made public. It is only now, through hacker databases, that the usernames and passwords in hashed format are being tallied up to come up with the total of 68,680,741 accounts.
Of the 68 Million, almost 32 Million passwords are secured using the strong hashing function known as “BCrypt,” making difficult for hackers to obtain users’ actual passwords, but the remainder of the passwords are hashed with the SHA-1 hashing algorithm, which is not so strong and can be broken relatively easily.
Although Dropbox did initially disclose the data breach in 2012, notifying users that one of their employee passwords was compromised and used to access a file with users’ email addresses; at that time, the company didn’t disclose that the hackers were able to get away with passwords too.
But earlier this week, Dropbox sent out additional emails alerting its affected users that a large chunk of their users’ credentials were obtained in 2012 data breach, and that said credentials may soon be seen on a Dark Web marketplace available for purchase. They also prompting the affected users to change their password if they hadn’t changed since mid-2012.
What should you do?
If you heard about the hack back in 2012 and changed your password, the chances are that you will not have to change it again. But if you’re feeling extra vigilant, we would say that changing your Dropbox password again is not a bad idea. You might want to change it regularly anyway.
We also recommend that you embrace a super-strong password, and use a password vault (although these have been compromised also – so we use KeePass – which is free). Our password for accounts where we don’t need to remember them are often as long as 64 characters, with a mixture of upper-case characters, lower-case characters, numbers and special characters. Such a strong password which is changes say, every quarter, or every 6-months, would be very safe indeed. Because your Dropbox software remembers the password, it’s not important to remember the password and extreme password length is a very safe method of securing your cloud storage.