In 2012, there was a data breach into Dropbox’s files. The data breach occurred because one employee didn’t vary his passwords and also used his corporate password for his LinkedIn profile–which experienced a data breach.
After four years (for some reason), those 68,000,000 emails and passwords were released onto the internet.
Dropbox sent out notifications last week to all users who had not changed their passwords since 2012. The company had around 100m customers at the time, meaning the data dump represents over two-thirds of its user accounts. At the time Dropbox practiced good user data security practice, encrypting the passwords and appears to have been in the process of upgrading the encryption from the SHA1 standard to a more secure standard called bcrypt.
Half the passwords were still encrypted with SHA1 at the time of the theft.
What the above quote means is that the password data was thankfully encrypted. The level of encryption varied depending on whether an account was encrypted using SHA1 or bcrypt, but the weaker of the two (SHA1) is still very secure.
I received a notification on a Dropbox account I rarely used (back when storage space was very limited on it). It suggested I reset my password, but when I went to click to reset it, it turned out Dropbox already proactively reset it.
Just to be careful, I would reset any account password that might use the same email and password combination. In addition, enable two-step verification on your accounts if it is avaliable. Usually, this involves your account getting a text with a verification code when you log into your account at a new location.
If you are worried about using two-step verification because you don’t want to get locked out of the account when you are in the air (and can’t get your texts), there are ways to get around that.