Hackers have obtained login and password pairs for more than 68 million Dropbox accounts, according to a Motherboard report. The data comes from a 2012 breach of the company’s database, but offers new detail on the depth and scope of that breach. The associated passwords are encrypted through a variety of algorithms, but users are still advised to change passwords and implement two-factor authentication. Both Dropbox and independent researcher Troy Hunt have confirmed the validity of the data.
Most of the implicated Dropbox accounts should already be protected. The passwords involved are all several years old, and Dropbox security reset a number of accounts in response to the breach in 2012. The company began a new round of password resets earlier this week, most likely in response to the new dump.
The biggest surprise is how broad the scope of the 2012 breach really was. When Dropbox first reported the breach, the company was vague about the number of accounts affected, but 68 million accounts would constitute more than two-thirds of the active users on the service at the time.