Dropbox is asking users who have signed up for its service prior to mid-2012 and haven't changed their password since then to do so now.
Popular cloud storage service Dropbox is prompting users who have signed up for its service prior to mid-2012 and haven't changed their password since then to reset their passwords now, the company announced. The announcement seems to be related to the widely-publicised LinkedIn hack in 2012 that saw over 6.5 million encrypted passwords posted online at the time. In May, another data dump containing the credentials of 117 million LinkedIn members was put up for sale on the dark web forum The Real Deal by a hacker going by the name of "Peace".
"Our security teams are always watching out for new threats to our users," Patrick Heim, head of trust and security at Dropbox, wrote in a blog post. "As part of these ongoing efforts, we learned about an old set of Dropbox user credentials (email addresses plus hashed and salted passwords) that we believe was obtained in 2012. Our analysis suggests that the credentials relate to an incident we disclosed around that time."
In July 2012, Dropbox reported that usernames and passwords obtained in the 2012 leak were used to sign in to a small number of Dropbox accounts. They said they had contacted the affected users to help them protect their accounts and data.
During the incident mentioned, an employee's Dropbox account containing a project document with user email addresses was accessed using a stolen password which the company believes led to the spam emails reported by users at the time.
Based on their threat monitoring and the way they secure passwords, the company says they do not believe any accounts have been breached. However, as a precaution, they are now requiring any user who hasn't changed their password since mid-2012 to update it the next time they sign in.
Dropbox's announcement follows multiple "mega breaches" at Myspace and LinkedIn that compromised millions of customer accounts and sparked concerns over the re-use of old passwords across multiple accounts and sites that leaves users vulnerable to attack online.
"If you don't receive a prompt, you don't need to do anything," Heim wrote. "However, for any of you who've used your Dropbox password on other sites, we recommend you change it on Dropbox and other services." The company is also recommending that users enable two-factor authentication when resetting their passwords.