Hold on to your breaches, everyone. A few days after forcing mandatory password resets for some of its older users, it looks like the worst has come to bear for online storage service Dropbox: independent analysis has confirmed earlier reports and rumours that over 60 million usernames and passwords, stolen by hackers in 2012 and shared around the ‘net, are real.
The confirmation comes from security pro Troy Hunt, who runs the comprehensive Have I Been Pwned? searchable database of breaches and compromised data. His post comes a few hours after a Motherboard article saying the true extent of the hack — from mid-2012 — is only now starting to become clear.
A few days ago, Dropbox emailed users of its service from 2012 or before to tell them that a mandatory password reset was necessary on their next login — if they had not already updated their passwords since the hack took place. Half of the over 60 million account passwords were secured by bcrypt and are unlikely to be easily cracked, while the others were secured by the now-deprecated SHA-1 and are potentially easier to access through brute force.
Take this as a reminder to go ahead and change your Dropbox password. In fact, change all your passwords. In fact, change all your passwords and use a password manager and change the password for your password manager. It’s the only way to be sure. [Troy Hunt / Motherboard]