Since Dropbox sent out password resets last week to users who signed up before 2012 and haven't changed their log-in details since, it's not hard to believe that the files are legit. The company mentioned in the help center entry about the resets that it doesn't believe any of the accounts were improperly accessed. While there's no way to prove that, Motherboard's and Hunt's findings support that claim.

All of the passwords in the list are salted and encrypted, though only 32 million are protected by a strong algorithm called bcrypt. The other half uses an older, weaker algorithm called SHA-1. It doesn't look like the files are being sold on the dark web yet. But to be safe, it's best to change your Dropbox passwords and activate two-factor authentication when you can.

Update: We updated Troy Hunt's information. He's not an employee but part of Microsoft's Regional Director Program. [Thanks, Keith]