Dropbox was reportedly hacked back in 2012. In 2014, hundreds of Dropbox passwords were leaked by an anonymous hacker. Now Dropbox is forcing password changes on anyone with a password older than 2012. This story keeps unfolding, but here's the bottom line: Change your Dropbox password now.
What does this all mean for you? Simple: Change your Dropbox password.
If you're curious about why everyone seems to be talking about Dropbox and passwords right now, here's the timeline:
- Dropbox never confirmed whether the 2012 hack was real, although they did acknowledge some users were getting spam to Dropbox-specific accounts. They enabled two-factor authentication around that time, along with some other security tools.
- They did come out in 2014 to say that they were never hacked and any leaked passwords came from third party services.
- This week's password changes for anyone who hasn't changed their password since 2012, Dropbox says, is just a matter of just-in-case security, and due to their own threat monitoring.
- Motherboard reported this week that over 60 million Dropbox credentials were stolen by hackers back in 2012, while TechCrunch points out that the service itself wasn't so much hacked as one employee's poor password policies led to that massive 2012 incident, where those 60 million passwords were stolen. Security researcher Troy Hunt went even further in this semi-alarming blog post, pointing out exactly how many new Dropbox credentials were dumped just this week.
This is all academic, around "incidents" versus "hacks" versus "data theft," but for the average person uninterested in the nuance? Just change your Dropbox password.
Especially if you haven't changed it since 2012 and you're one of the people Dropbox emailed. If you're not one of those people, change it anyway, and put the whole affair behind you.
And, as we pointed out in our original post about this week's Dropbox news:
- Never use the same username and password on more than one site.
- You don't always have to change your passwords regularly, but you should at least change them after major attacks.
- Enable two-factor authentication.
- Use a password manager to generate unique passwords you don't know and store them for you.
A little inconvenience now in the way of a password change — and in enabling two-factor if you don't have it turned on already — will make sure that your account is safe and secure, whether your password was included in this dump, or will be included in the next. It takes five minutes, just do it today.