- Users registered before mid-2012 will be asked to reset their passwords
- Those who haven’t changed their password since then will also be asked
- This is due to a hacked file obtained by its intelligence team
Dropbox has sent out password resets to all of its users that have signed up for the service prior to mid-2012, or not changed their password since that time. The company asserts that no accounts have been hacked, and the reset is being done as “purely a preventative measure”.
The cloud storage company elaborates that measure is being taken after its intelligence team obtained an old set of Dropbox credentials (email addresses as well as hashed and salted passwords that may have been leaked in an ‘incident’ in 2012, referring to the massive Linkedin hack that year. The usernames and passwords stolen in the Linkedin hack, were used to sign in to many Dropbox accounts as well at that time. This obtained file also links back to the LinkedIn hack, and Dropbox is taking preventive measures to stop it from reoccurring. This file was held quietly for many years, but as it surfaced again, Dropbox wants all of its old users to reset their passwords.
Our security teams are always watching out for new threats to our users. As part of these ongoing efforts, we learned about an old set of Dropbox user credentials (email addresses plus hashed and salted passwords) that we believe were obtained in 2012. Our analysis suggests that the credentials relate to an incident we disclosed around that time. Based on our threat monitoring and the way we secure passwords, we don’t believe that any accounts have been improperly accessed. Still, as one of many precautions, we’re requiring anyone who hasn’t changed their password since mid-2012 to update it the next time they sign in.
Dropbox even asks users to enable two-step verification for added security. In order to enable this, sign-in to Dropbox, and head to Settings > Security > Enable Two-Step Verification. This will add OTP as an added process every time you log-in. In 2014, Dropbox faced its first massive leak. An anonymous hacker got hold of roughly 7 million usernames and passwords and posted them all on PasteBin. However, Dropbox refused to acknowledge the leak, and claimed that the usernames and passwords were unfortunately stolen from other services and used in attempts to log in to Dropbox accounts.