You Should Change Your Dropbox Password Right Now


If you haven’t changed your password for Dropbox since mid-2012, you should do so now. Like, stop reading this and go do it.

As first reported by Motherboard and then confirmed by web-security expert Troy Hunt, hackers were able to grab emails and passwords for 60 million Dropbox users. The good news? The passwords were encrypted. The bad news? About half of them include the “salt,” a bit of random data generated on top of the password intended to make it even more difficult to see the raw password data. Without the salt, cracking passwords is very, very difficult. With the salt, it’s not. Hunt had changed his password in 2014, so while he found his records in the breach, he wasn’t worried about someone being able to get into his account. His wife, however, while using a strong password from 1Password, had not, and Hunt was able to quickly figure out the salt on her password. While actually cracking that password would still remain very, very difficult, it’s not impossible, especially for anyone using a relatively common password.

Earlier this week, Dropbox forced a number of password resets on users, related to a mid-2012 breach. It appears that those users were part of the 60 million users breached. Even if you didn’t get a forced password reset, if you’re still using “GoMets86!” for your Dropbox account and haven’t switched it up in the past four years, go do that. And if you use “GoMets86!” for a bunch of other services, particularly anything highly sensitive like personal email or bank accounts, go ahead and switch that over as well. (Also, stop using one password for every service, but you’ve probably already heard that.)

Dropbox had a somewhat similar security issues in 2014, though in that case the service claimed it was because of password reuse, not an actual data breach.

If you’re curious just how much of your personal data is out there, you can always check haveibeenpwned, which will check your email against known data breaches, though it hasn’t been updated with the 60 million accounts quite yet. It’s still instructive — I personally have been pwned five times, which is why my password is no longer “NobodyWillEverGuessThis!” for every service I use. It’s also a good reason to use something like 1Password or LastPass; remembering a strong password for every single different service you log in is, frankly, nearly impossible, and these services fix that problem. So even if your password for Adobe Cloud Services gets released into the wild, your Gmail account remains secure.