Any Dropbox users who haven’t updated their passwords over the past four years should do so immediately because more than 68 million records from Dropbox accounts hacked in 2012 have now appeared online, the file sharing and online storage company said.
First reported by Motherboard yesterday, the Dropbox files showing up online included both user email addresses and hashed passwords. The information appears to have stemmed from a breach reported by Dropbox in 2012, the publication said.
This latest development indicates that the 2012 breach had the potential for far more fallout than Dropbox initially revealed to users. At the time, the company said a stolen employee password had enabled unauthorized access to a project document containing user email addresses, resulting in spam being sent to some of those users.
No Signs of Improper Access
Users who signed up for the service before mid-2012 and haven’t changed their passwords since then would receive a prompt to update them the next time they signed in, Patrick Heim, Dropbox’s head of trust and security, wrote in a blog post last week. While there was no sign that users accounts had been improperly accessed, Dropbox’s security teams recommended such precautions based on threat monitoring related to old credentials that were hacked in 2012, he said.
Heim offered more details about those precautions yesterday in a blog post update. “Since our original post, there have been many reports about the exposure of 68 million Dropbox credentials from 2012,” Heim said. “The list of email addresses with hashed and salted passwords is real, however we have no indication that Dropbox user accounts have been improperly accessed.”
After apologizing for the incident, Heim noted that Dropbox had already emailed “all users we believed were affected and completed a password reset for anyone who hadn’t updated their password since…