Change your Dropbox password following breach: Alert Priority Moderate
People who signed up to popular file hosting and storage service Dropbox before and during 2012 are advised to change their passwords immediately. The advice follows reports a security breach in 2012 may have exposed up to 68 million user credentials.
In a blog post, Dropbox Head of Trust & Security, Patrick Heim, acknowledged the list of email addresses and passwords reportedly leaked recently to a technology website ‘was real’, but said the company had no indication that user accounts had been improperly accessed.
Dropbox first heard about the leaked list of credentials two weeks ago, and started an investigation. Based on Dropbox’s analysis, Heim said, the exposed email addresses and passwords were likely obtained in 2012.
Heim said Dropbox had emailed all affected users and completed a password reset for anyone who had not updated their password since mid-2012. The passwords obtained in the Dropbox breach were ‘hashed’ and ‘salted’, providing a level of protection similar to encryption. This minimises the ability of attackers to use them to gain access to accounts and any stored files.
While the risk to user information is lower when a breach involves hashed and salted passwords rather than unprotected passwords, you should still change your password and always monitor your account for unauthorised activity.
If you signed up to Dropbox before 2012 and reused your Dropbox password on any other website, you should immediately change that password. An attacker may crack some of the leaked passwords and try them on other websites to see if they can gain access to user accounts. Passwords should not be used across multiple websites. Doing so increases the potential damage if a password is obtained by a malicious person or group.
Dropbox also offers two step verification
for its users which, if enabled, helps stop attackers from accessing data even if they obtain a password. Stay Smart Online recommends that you use two factor authentication or two step verification on any website that offers it, in order to help protect your data.
The information provided here is of a general nature. Everyone’s circumstances are different. If you require specific advice you should contact your local technical support provider.
Thank you to those subscribers who have provided feedback to our Alerts and Newsletters. We are very interested in your feedback and where possible take on board your suggestions or requests.
This information has been prepared by Enex TestLab for the Department of Communications (‘the Department’). It was accurate and up to date at the time of publishing.
This information is general information only and is intended for use by private individuals and small to medium sized businesses. If you are concerned about a specific cyber security issue you should seek professional advice.
The Commonwealth, Enex TestLab, and all other persons associated with this advisory accept no liability for any damage, loss or expense incurred as a result of the provision of this information, whether by way of negligence or otherwise.
Nothing in this information (including the listing of a person or organisation or links to other web sites) should be taken as an endorsement of a particular product or service.
Please note that third party views or recommendations included in this information do not reflect the views of the Commonwealth, or indicate its commitment to a particular course of action. The Commonwealth also cannot verify the accuracy of any third party material included in this information.