So, I woke up this morning to an email from Troy Hunt, or rather, a message from his Have I Been Pwned? service. It seems that my account was one of the 68,648,009 compromised in the Dropbox breach.
From the sound of things, there’s some mixed news. The bad news is, at the time of the breach, four years ago, many passwords were still being stored as SHA-1 (MD5) hashes. The good news is that they appear to have been salted hashes and the hash values weren’t included in the breach.
Dropbox did send out an alert a few days ago saying that they had reset passwords for anyone who hadn’t updated their password in the past four years (guilty!). The email said it was done as a precaution, but didn’t go into detail about what it was a precaution again. To find that out, you had to click through and read a blog post.
I’m probably OK. My password probably wasn’t as secure as it might have been, but thankfully, the lack of salt values for the SHA1 passwords should make them quite difficult to break. And perhaps most importantly, I’ve never used that same password anywhere else.
(But yes, I changed my password to something a bit more secure. It’s now 40 random characters generated by KeePass.)
Some important takeaways:
- Change your Dropbox password.
- Don’t use the same password in more than one place.
- Consider turning on two-factor authentication.
- Consider also signing up with Have I Been Pwned?
- Why are you still reading this? Go change your Dropbox password!
(Photo from Pexels, free for non-commercial use.)