Last week, Dropbox users with an account prior to mid-2012 that hadn’t changed their password since were prompted to do so the next time they sign in. The move was billed as a “preventive measure” but apparently there’s more to the story: security researchers claim the details of 68,680,741 user accounts have been leaked onto the dark web, complete with their email addresses and hashed passwords, as the result of a data breach back in 2012.
The data dump came to light after it was picked up by security notification service Leakbase, which sent the 5GB file to Motherboard. The latter says it was able to get confirmation from a "senior Dropbox employee" speaking on the condition of anonymity that the leaked data is genuine. The company had around 100 million customers at the time, meaning the data dump represents over two-thirds of its user accounts.
It’s not all bad news, however. According to security expert Troy Hunt the files, Dropbox did use strong encryption practices, and appears to have been in the process of upgrading to a more secure standard called bcrypt. According to Hunt, “all but the worst possible password choices are going to remain secure even with the breach now out in the public.”
Dropbox's security boss Patrick Heim also says that there’s no indication that Dropbox user accounts have been improperly accessed. However, affected users who may have reused their password on other sites should take steps to make their passwords both on Dropbox and other sites, strong and unique, and enabling two-step verification.
If you are among those affected by the breach you should have received a notification already prompting you to change your password. You can also check whether your data was breached in this or other security incidents at Have I Been Pwned -- a site maintained by Hunt.