Cloud storage company Dropbox has been advising some its 500 million users to update their passwords as a "preventive measure". The reason? A total of 68m customers have had their account details circulated following a previous hack on the company.
Back in 2012 the firm said a stolen password was used to access one of its employees' Dropbox accounts and obtain a "project document with user email addresses".
Read more: Want to know if you've been hacked? Troy Hunt has the details
These details have now resurfaced online. In a blog post, Patrick Heim, head of trust and security, said he had become aware of an "old set" of Dropbox user details, which were first obtained in 2012, being available.
Despite the company saying it believes no user accounts have been compromised, details from 68,680,741 accounts are in four 5GB files obtained by breach notification website Leakbase.
Motherboard has independently verified the data breach, with an anonymous company official saying the data is real. Australian security researcher Troy Hunt has also seen the data and says the company was "proper hacked" four years ago.
"What we've got here is two files with email address and bcrypt hashes then another two with email addresses and SHA1 hashes," Hunt wrote in a blog post. As Motherboard highlighted, the passwords secured with bcrypt are unlikely to be revealed due to its strong nature.
"There is no doubt whatsoever that the data breach contains legitimate Dropbox passwords, you simply can't fabricate this sort of thing," Hunt continued.
For Dropbox users this means passwords should be reset. The San Francisco-based company has already said those who haven't changed their passwords since mid-2012 should update them as soon as possible adding they'll be prompted to update it the next time they sign in.
"If prompted, all you need to do is choose a new and strong password," a Dropbox blog post said. "We provide a password strength meter to help you. If you don’t receive a prompt, you don’t need to do anything."
Those customers who also used the same password on Dropbox as other services should also ensure their passwords on other websites are updated.
Want to protect yourself from hackers? Come to WIRED Security, a new one-day event from WIRED, curated to explore, explain and predict new trends, threats and defences in cyber security. It takes place on October 20 in London. Find out more about the inaugural event here.
This article was originally published by WIRED UK
