Login details belonging to tens of millions of Dropbox users is now being sold online, four years after the cloud storage provider suffered a major data breach. We tell you how to find out if your info's being flogged by fraudsters and what to do if it is.
Dropbox this week confirmed that it was hacked in 2012 and that email addresses and passwords belonging to more than 68 million accounts have been recently made available for purchase online.
It is understood the credentials were obtained when hackers used stolen employee login details to access a document containing the users' information. The number of users affected by the hack was not known until now, and the company had previously said only email addresses were taken – not passwords.
For more on staying safe online, see our Stop Scams guide. If you don't fancy sticking with Dropbox and want to try another provider, check out our guide on Free Cloud Storage, which is essentially online data storage.
Check if your account details have been stolen
If you had an account prior to mid-2012, there's a good chance your email address and password may have been stolen. Although Dropbox has since reset impacted users' passwords, meaning your account is probably safe now, if you use the same password elsewhere you may still be at risk – see below.
This is why it's important to find out whether your details have been compromised. Fortunately this is free and easy to do, thanks to the website HaveIBeenPwned? ('pwned' derives from and rhymes with 'owned', which is slang for being made a fool of).
Go to the site and enter your email address. In this instance use the email address connected to your Dropbox account, though it's a good idea to enter any address you use for logins elsewhere, to see if those accounts have been affected by any hacks too.
It'll then show you a list of breaches you've been 'pwned' in – ie, when information from any accounts you have has been stolen and released publicly – with some background info on the hack, plus what data has been compromised.
In the case of Dropbox it would just be your email address and/or password, but depending on the type of information you've provided to the hacked company and what was stolen, it could be any number of things from your date of birth to your security questions and answers.
For some Q&As on how the site works and its founder, Troy Hunt, see the LinkedIn hack MSE News story.
If the website shows that your account details have been stolen, don't panic – but do take action straightaway. Here's what you should do:
Dropbox has said it's proactively reset the passwords of all potentially affected users – ie, those who hadn't reset theirs since the breach took place in 2012. If that's you then you'll be prompted to choose a new password when you next log in.
However if you've used the same password on other sites, it's important you reset it on those accounts too. Since the stolen data includes both your email address and password, fraudsters who get hold of it may try and use it to hack into other accounts of yours.
HaveIBeenPwned? founder and web security specialist, Troy Hunt, recommends setting a strong, unique password for each of your various accounts, and signing up to a password manager – these store your passwords and can be accessed from a single master password.
LastPass is free and well reviewed. Alternatively, Troy recommends KeePass, which is also free, or the "more polished" 1password, which costs $35.88/year (£27) – though the first six months are currently being offered for free if you want to try it.
For further guidance, see Martin's Password help blog.
2. If your financial details were exposed, check for fraud
If an account of yours with financial details was breached, or any details taken could have been used to access your financial info, check your bank or credit account. If you see anything unusual, contact your bank and Action Fraud online or on 0300 123 2040. Also check your credit file in case anyone's stolen your ID.
3. Watch out for spam emails
4. Don't disclose your data – cold calls/emails may be a scam
If you're contacted by anyone asking for personal data or passwords (such as for your bank account), it's likely to be a scam – so by no means hand over your sensitive info. This is always a sensible rule to follow – but it particularly applies in the wake of a data breach, as historically scammers have tried to exploit this kind of incident.