Dropbox has announced that it was hacked in 2012 and that the personal data of nearly 70 millions users was stolen.
The breach includes the passwords and email addresses of 68.7 million account holders. Dropbox confirmed the credentials were stolen years ago when hackers used stolen employee login details to access a document that contained the email address and passwords of users. There is no indication that Dropbox user accounts have been improperly accessed, according to the cloud storage service's head of trust and security.
Still, in response, Dropbox is asking users who may have been affected by the hack to reset their passwords. If you signed up to Dropbox before mid 2012 and have not changed your password since then, you should do so now. Here's everything you need to know.
Were you affected by the breach?
It's hard to tell. The quickest way to determine if you were affected is to sign into Dropbox and see if the service prompts you to update your credentials. Dropbox said it had "hashed" and "salted" the stolen details, meaning they were scrambled and had a random string added so hackers would need a cryptographic key to decipher them. It's also updated how it stores passwords.
However, Dropbox recommended on Wednesday that all users reset their passwords, because if their stolen password is somehow cracked, a password reset would still prevent any hacker from accessing their Dropbox accounts. But that doesn't mean the cracked password can't be used to access other online accounts with the same login details. You should therefore reset any account that uses your Dropbox password.
How do you reset your Dropbox password?
It's simple. This Dropbox support page explains how to reset your password. You have to sign into your account from the web, click your name at the top of the screen, then click Settings, and click the Security tab. From there, click Forgot password, and then enter the email address you used to create the account. From there, check your email inbox, and click the link in the email you received to reset your password.
Should you use two-step verification?
Yes. After changing your passwords, turn on two-step verification for any online account that offers the security measure. This Dropbox support page explains how to sign up for two-step verification. You basically have to sign into your account from the web, click your name in the upper-right, then click Settings, and click enable under the Two-step verification. From there, click Get Started and follow the on-screen instructions.
Two-factor authentication adds a second step to your basic log-in process (that's when you enter your username and password). The password is your single factor of authentication, and adding a second factor simply makes your account a bit more secure or harder to hack.
So, with a second factor, you must have two types of credentials. The second credential can be your fingerprint, phone, or a variety of other things. If it's a phone, you will get code sent to your phone via SMS, and then you'll need enter that code with your login credential when logging in.
Is there anything else you should know?
The breach also includes usernames - not just passwords. Hackers could use this data in spam and phishing attacks, so you should pay attention to any suspicious emails (emails with spelling mistakes and grammatical errors, for instance). Don't click on any links, call any phone numbers, respond, or provide the sender with any sensitive information in these emails. And always type in Dropbox's site manually into your browser.
If you click a link, you may be directed to a fake version of the site, where you'll ultimately enter your login credentials, and then your password - which now doesn't need to be cracked - can easily be stolen. You should also never use the same password more than once, and passwords should contain both letters and numbers to make it harder for hackers to crack your passwords.