Photo via devioustree/Flickr (CC-BY-SA)
More than 68 million Dropbox account logins have leaked online, but don't panic just yet.
The email address and password leak, first reported by Motherboard, is due to a targeted attack against users of the cloud storage in 2012. The attack was possible due to users employing the same passwords across multiple websites, some of which were breached, the company said. Dropbox disclosed the breach soon after the attack.
On Friday, Dropbox announced that it was issuing a forced reset of passwords for all users who created their accounts before the middle of 2012 and have not changed their passwords since. The company did not disclose the number of affected accounts.
Dropbox said all passwords were hashed and salted, meaning Dropbox's system added additional characters to the end of every password it stored so that even if hackers stole the passwords they would be protected.
Dropbox says it does not believe any of the affect accounts have successfully been compromised as a result of the login leak.
Still, the leak serves as yet another reminder of the fragility of passwords as a security tool. A 2015 survey conducted by password manager company Password Boss found that 59 percent of internet users reuse passwords across multiple sites and services, greatly increasing the risks to their data.
To better protect your online data, create a secure password for every site or online service you use, especially those that contain personal information or files. Use a password manager to create strong passwords that cannot easily be cracked. And enable two-factor authentication—which will require anyone who tries to access your account from a device other than your own to enter an additional authentication code sent to you—on any service that offers it. (Dropbox does, as do Facebook, Gmail, and Twitter.)
To find out whether your accounts have already been compromised, enter your email address(es) into the search tool on Leaked Source, which collects leaked databases in an effort to inform users about the security of their accounts.
Contact the author: Andrew Couts, firstname.lastname@example.org