What happened
According to public breach records, the Dropbox data breach on July 1, 2012 is reported to have exposed the personal information of 68,648,009 accounts.
In mid-2012, Dropbox suffered a data breach which exposed the stored credentials of tens of millions of their customers. In August 2016, they forced password resets for customers they believed may be at risk. A large volume of data totalling over 68 million records was subsequently traded online and included email addresses and salted hashes of passwords (half of them SHA1, half of them bcrypt).
Passwords in this breach were reportedly stored as SHA-1 hashes.
In July 2012, attackers used a Dropbox employee's stolen password to access an internal account containing a project document with user email addresses, ultimately exposing credentials for 68,648,009 accounts. The full scope stayed hidden until August 2016, when the stolen dataset surfaced online and was confirmed by breach-index services. The leaked passwords were stored as salted hashes — roughly half using older SHA-1 and half using stronger bcrypt — and the disclosure prompted Dropbox to force password resets.
What data was exposed
The following types of personal data were compromised:
- Email addresses
- Passwords
Breach details
| Detail | Value |
|---|---|
| Breach name | Dropbox |
| Date | July 1, 2012 |
| Accounts affected | 68,648,009 |
| Domain | dropbox.com |
This summary is compiled from public breach-notification data and known leak databases. Figures reflect what those sources report and may be revised as more is learned. If something here looks wrong or you think your information is involved, contact our support team.
We report breaches as a factual record to help people check their exposure. Inclusion here is not an allegation of wrongdoing or negligence by Dropbox; it reflects a publicly reported security incident.
What to do now
Based on the data exposed in this breach, here are the steps you should take:
- Change your Dropbox password immediately if you haven't since 2016, and replace it anywhere you reused that same password
- Enable two-factor authentication on your Dropbox account and other sensitive logins
- Treat the exposed email address as a target for phishing — be cautious with unexpected messages referencing Dropbox or password resets
- Use a password manager so each account has a unique credential, limiting damage from any future leak
Check your exposure
Data breaches are one of the ways your personal information ends up on data broker sites. Run a free scan to see which sites are exposing your personal data — and take action to remove it.
Sources
- 68 Million Exposed in Old Dropbox Hack - SecurityWeek
- Intruders Pilfered Over 68 Million Passwords In 2012 Dropbox Breach - Dark Reading
Find out what data brokers know about you
Run a free scan to see which sites are exposing your personal information — name, phone, address, email, and more.
Start your free scan →