X
Innovation

Dropbox prompts users to reset old passwords

Dropbox called out to users who haven't changed their passwords since mid-2012, saying the login credentials are potentially at risk and should be updated.
Written by Natalie Gagliordi, Contributor
dropbox.jpg

Image: Dropbox

Dropbox is asking users to change their old passwords as part of a "preventative measure".

In a blog post, the file-sharing and cloud storage company called out to users who haven't changed their passwords since mid-2012, saying the login credentials are potentially at risk and should be updated.

Dropbox insists, however, that it's just being pragmatic, and that there's no indication any accounts have been compromised.

Instead, Dropbox is just trying to shore up any loose ends from a previous security breach disclosed in 2012, when it discovered that usernames and passwords were stolen from other websites and used to log into a "small number" of Dropbox accounts.

"Our security teams are always watching out for new threats to our users," wrote Patrick Heim, head of security for Dropbox.

"As part of these ongoing efforts, we learned about an old set of Dropbox user credentials (email addresses plus hashed and salted passwords) that we believe was obtained in 2012. Based on our threat monitoring and the way we secure passwords, we don't believe that any accounts have been improperly accessed."

Dropbox said users with these older passwords will be prompted to update them upon their next log-in attempt. The company is also recommending users take advantage of its two-factor authentication services, which have been rolling out over the last couple years.

Like other cloud tech providers, Dropbox has long battled security breaches on its platform. Two years ago, an unnamed hacker group claimed that it had accessed nearly 7 million Dropbox accounts and threatened to publish them unless they were paid in Bitcoin. In that incident, Dropbox said again that it had not been hacked and that the passwords were stolen from other services.

In 2013, Dropbox admitted that it had inadvertently published code on its website that allowed anyone to sign in to any Dropbox account without credentials.

Editorial standards