After cloud-storage service Dropbox sent an email to its users prompting password resets for those that hadn’t done so since 2012, it’s now been confirmed that more than 68 million account details were leaked in a breach that occurred four years ago.
While that breach was previously disclosed, it was recently discovered just how many accounts were affected. News website Motherboard obtained the leaked files and independently confirmed the Dropbox passwords were contained there, and also confirmed the legitimacy of the files with Dropbox. Security blogger and Have I been pwned operator Tory Hunt also independently confirmed the leaked files contained Dropbox passwords.
In the initial blog post explaining why Dropbox is asking some users to reset passwords, Patrick Helm, head of trust and security for Dropbox, said it was a precautionary measure.
“Based on our threat monitoring and the way we secure passwords, we don’t believe that any accounts have been improperly accessed. Still, as one of many precautions, we’re requiring anyone who hasn’t changed their password since mid-2012 to update it the next time they sign in.
This isn’t the first time that Dropbox has faced security issues involving the loss of sensitive user information. Another incident in 2012 saw Dropbox users emailed spam, after an employee’s own Dropbox account containing a spreadsheet of user data was compromised.
Major breaches involving user passwords seem to have become a routine occurrence. Just last June, it was unveiled that LinkedIn was the victim of a data breach unleashing 117 million passwords into the wild. Here’s some password tips to keep your personal accounts as safe as possible when you’re managing your online accounts:
- Use a password manager. Many software options are available, some free of charge, and others for free. Some widely used examples include KeePass, LastPass, and 1Password. This allows you to use a different password for every site you use, without having to remember them all. Also, all your passwords will be near impossible to crack.
- Set your password manager to prompt you to change your passwords every so often. Many offer this as an option. Think of it like visiting the dentist – changing your passwords is just something you have to do at least a couple times a year for your health.
- Visit Troy Hunt’s Have I been pwned site. Hunt maintains the tool that lets you type in your email or username to find out if you’ve been caught up in a data breach. It’s already updated to include the Dropbox breach.
- Use two-factor authentication when it’s offered. Some online services allow you to require another piece of information in addition to your password to login to your account. While this can feel onerous, it means you’d be less at risk of having a password discovered.