Cloud storage company Dropbox is urging its users to update their passwords following the leak of 68 million customer details.
The hack, which occurred back in 2012, prompted the company to this week reveal the passwords were stolen through an employee's account that had been compromised. This allowed the hacker to obtain a “project document with user email addresses”.
Dropbox head of trust and security Patrick Heim said he discovered the extent of the breach after the “old set” of user credentials stolen in 2012 were made available.
Despite the company originally saying no user accounts were compromised, four 5GB files containing 68,680,741 accounts were recently uploaded to breach notification website Leakbase.
"Our analysis confirms that the credentials are user email addresses with hashed and salted passwords that were obtained prior to mid-2012. We can confirm that the scope of the password reset we completed last week did protect all impacted users," Heim said.
"Even if these passwords are cracked, the password reset means they can't be used to access Dropbox accounts. The reset only affects users who signed up for Dropbox prior to mid-2012 and hadn't changed their password since."
He said Dropbox customers who have recycled their passwords on other sites should update them and enable two-factor authentication.
"There is no doubt whatsoever that the data breach contains legitimate Dropbox passwords, you simply can't fabricate this sort of thing," Australian security researcher Troy Hunt said.