If you got an email from Dropbox asking you to reset your password earlier this week, it’s a good idea to do it. Nearly 70 million stolen Dropbox passwords are circulating online, according to Motherboard, which obtained the data. The file-sharing service has confirmed the passwords are linked to a breach that took place in 2012, although it said the theft only involved user email addresses at the time.
If you want to check whether your password’s floating around online, you can check at Have I Been Pwned. It’s safe to enter your email address there to check against the databases from well known security breaches it maintains. The site is run by Troy Hunt, a Microsoft security executive who performed an analysis of the Dropbox password cache and confirmed they’re authentic.
It’s not all bad news. The passwords being circulated have been hashed, meaning they’ve been scrambled by encryption algorithms. In short, the stolen passwords can’t be used to log in to an account without some guesswork by a malicious user. Dropbox said in a statement that no accounts have been improperly accessed and that the password reset has covered all affected accounts.
A determined hacker could, however, get lucky in theory and access one of the compromised accounts. It’s all down to the process of hashing information. Hashing is a mathematical function that turns a string of characters, like a password, into a separate, jumbled sequence of characters. A small change in what’s been hashed results in a big change in the resulting jumble. It’s also a one-way process, so you can think of it like toothpaste coming out of the tube. You can’t put it back in.
A hacker could use free tools, like Hashcat, to turn millions of well-known passwords into hashes. If any of the hashes match the Dropbox data, the hacker would know the sequence of characters used to derive that hash. That sequence of characters would be the unencrypted Dropbox password. Since the stolen data also included matching email addresses, the hacker could then log in. Here’s one such effort, using password hashes from a LinkedIn hack.
Even if for some reason a hacker indeed got lucky, Dropbox users with two-factor authentication turned on would place another barrier in front of the intruder. Securing an account can be a hassle sometimes, but it’s usually worth the trouble.
Correction: An earlier version of this article named the operator of Have I Been Pwned as Troy Hunter instead of Troy Hunt.