The persistent rumour of a massive Dropbox hack has finally been confirmed — and the details aren't good. Independent analysis has revealed that over 68 million Dropbox user names and passwords are freely available on the internet. If you didn't do it already, you really need to reset your password.
The Dropbox hack is real, with a whopping 68,648,009 Dropbox accounts searchable on the Have I been pwned website. In a recent blog post, security expert Troy Hunt outlined the extent of the hack and attained independent confirmation by searching for his own Dropbox login details along with those of his wife.
I trawled through the data and sure enough, there was my record. [My wife] too had an entry in the breach. There is no doubt whatsoever that the data breach contains legitimate Dropbox passwords, you simply can't fabricate this sort of thing. The only places that password ever existed was in [my wife's] strongly encrypted 1Password keychain and on Dropbox's servers.
A few days ago, Dropbox emailed users who joined on or before 2012 to inform them that a mandatory password reset was necessary on their next login — if they had not already updated their passwords since the hack took place. Half of the over 60 million account passwords were secured by bcrypt and are unlikely to be easily cracked, while the others were secured by the now-deprecated SHA-1 and are potentially easier to access through brute force.
Naturally, anyone who hasn't changed their Dropbox password in a while should do so immediately. Hunt also recommends enabling Dropbox's two-step verification if you haven't already done so. We'll report with more news as we get it.
[Via Troy Hunt]