More than 60 million logins apparently belonging to Dropbox users have been spread across the internet.
The cloud storage company has said that there doesn’t appear to be any indication that users have been hacked after the data dump, which compromises the security of many of its users.
The firm has said that it believes that the database – which includes usernames and encrypted passwords – was stolen in a breach in 2012.
The website Motherboard said that it had seen some of the passwords that were stolen during the breach, and are now available for sale online.
Users have been advised to change their passwords if they have been re-used.
A spokesman for Dropbox, which has 500 million registered users worldwide, said: "We can confirm that based on our intelligence, the number we have seen is in the 60-plus million range."
The firm added that it had completed a process of resetting passwords, including through a warning to users who signed up before mid-2012.
Dropbox head of trust and security Patrick Heim said: "This is not a new security incident, and there is no indication that Dropbox user accounts have been improperly accessed.
"Our analysis confirms that the credentials are user email addresses with hashed and salted passwords that were obtained prior to mid-2012.
"We can confirm that the scope of the password reset we completed last week did protect all impacted users.
"Even if these passwords are cracked, the password reset means they can't be used to access Dropbox accounts. The reset only affects users who signed up for Dropbox prior to mid-2012 and hadn't changed their password since."
But Mr Heim warned that people who use the same password for other applications and websites should consider changing them as well.
He said: "While Dropbox accounts are protected, affected users who may have reused their password on other sites should take steps to protect themselves on those sites.
"The best way to do this is by updating these passwords, making them strong and unique, and enabling two-step verification. Individuals who received a notification from Dropbox should also be alert to spam or phishing."
In 2014, the company was forced to deny that it had been hacked after an anonymous account posted what it claimed were the usernames and passwords of millions of the site's users.
An anonymous post to website Pastebin, traditionally used to save text users would like to paste elsewhere later, contained a list of email log-ins and passwords the hacker claimed were linked to Dropbox accounts.
The post claimed that more than 6.9 million Dropbox accounts had been hacked, and that more would be posted if donations of digital currency Bitcoin were made.
The company's spokesman added: "There is no connection between our actions to proactively reset users' passwords last week and the claimed breach in 2014."
Additional reporting by agencies
Join our commenting forum
Join thought-provoking conversations, follow other Independent readers and see their replies