News Stay informed about the latest enterprise technology news and product updates.

Users urged to change Dropbox passwords and enable 2FA

Cloud storage provider warns longtime users that it's time to change Dropbox passwords, as a precaution, after discovering an old set of Dropbox credentials was exposed -- in 2012.

Cloud storage provider Dropbox sent email notifications to longtime users who had not changed their passwords since mid-2012, urging them to change their passwords now -- and consider enabling two-factor authentication, while they are at it.

Although Dropbox claimed the move was purely a "preventive measure," and there were no indications any customer accounts had been improperly accessed, questions remain about the reason for the notification.

"Our security teams are always watching out for new threats to our users. As part of these ongoing efforts, we learned about an old set of Dropbox user credentials (email addresses plus hashed and salted passwords) that we believe was obtained in 2012. Our analysis suggests that the credentials relate to an incident we disclosed around that time," Patrick Heim, head of trust and security at Dropbox, wrote in a blog post.

"Based on our threat monitoring and the way we secure passwords, we don't believe that any accounts have been improperly accessed. Still, as one of many precautions, we're requiring anyone who hasn't changed their password since mid-2012 to update it the next time they sign in."

In addition to urging customers to use strong passwords, Heim also recommended that users enable Dropbox's "two-step" verification, Dropbox's version of two-factor authentication, on their accounts.

Some were quick to recall that Dropbox passwords were misused in 2012, when Aditya Agarwal, vice president of engineering, wrote that a Dropbox investigation "found that usernames and passwords recently stolen from other websites were used to sign in to a small number of Dropbox accounts."

Marc Rogers, security researcher at CloudFlare, tweeted:

In 2014, an anonymous hacker claimed to have obtained Dropbox passwords and usernames for 6.9 million accounts, but Dropbox denied a breach. Anton Mityagin, Dropbox's security engineering manager, wrote, "The usernames and passwords referenced in these articles were stolen from unrelated services, not Dropbox. Attackers then used these stolen credentials to try to log in to sites across the internet, including Dropbox. We have measures in place to detect suspicious login activity and we automatically reset passwords when it happens."

Next Steps

Find out more about password change frequency and handling password reuse.

Read about why the biggest problem with passwords is not what you think it is.

Learn more about how LogMeIn responded after discovering stolen user credentials in data dumps.

Dig Deeper on Public Cloud Computing Security

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

How did you feel about Dropbox's password reset message?
It’s more than a little scary that some passwords are four or more years old. As far as the message Dropbox sent, I think it shows that they’re reassessing their responsibility to security and their customers.
Correct horse battery staple

Serious question: If the password is strong, and is not reused anywhere, how often should it be changed?
MFA makes sense on so many levels for so many applications as a defense-in-depth approach to security, and I’m a little surprised that they haven’t already required users adopt MFA.
I agree, on all points. I don't understand why we're not all walking around with authentication tokens of some sort.