Users urged to change Dropbox passwords and enable 2FA

Cloud storage provider warns longtime users that it's time to change Dropbox passwords, as a precaution, after discovering an old set of Dropbox credentials was exposed -- in 2012.

Cloud storage provider Dropbox sent email notifications to longtime users who had not changed their passwords since mid-2012, urging them to change their passwords now -- and consider enabling two-factor authentication, while they are at it.

Although Dropbox claimed the move was purely a "preventive measure," and there were no indications any customer accounts had been improperly accessed, questions remain about the reason for the notification.

"Our security teams are always watching out for new threats to our users. As part of these ongoing efforts, we learned about an old set of Dropbox user credentials (email addresses plus hashed and salted passwords) that we believe was obtained in 2012. Our analysis suggests that the credentials relate to an incident we disclosed around that time," Patrick Heim, head of trust and security at Dropbox, wrote in a blog post.

"Based on our threat monitoring and the way we secure passwords, we don't believe that any accounts have been improperly accessed. Still, as one of many precautions, we're requiring anyone who hasn't changed their password since mid-2012 to update it the next time they sign in."

In addition to urging customers to use strong passwords, Heim also recommended that users enable Dropbox's "two-step" verification, Dropbox's version of two-factor authentication, on their accounts.

Some were quick to recall that Dropbox passwords were misused in 2012, when Aditya Agarwal, vice president of engineering, wrote that a Dropbox investigation "found that usernames and passwords recently stolen from other websites were used to sign in to a small number of Dropbox accounts."

Marc Rogers, security researcher at CloudFlare, tweeted:

In 2014, an anonymous hacker claimed to have obtained Dropbox passwords and usernames for 6.9 million accounts, but Dropbox denied a breach. Anton Mityagin, Dropbox's security engineering manager, wrote, "The usernames and passwords referenced in these articles were stolen from unrelated services, not Dropbox. Attackers then used these stolen credentials to try to log in to sites across the internet, including Dropbox. We have measures in place to detect suspicious login activity and we automatically reset passwords when it happens."

Next Steps

Find out more about password change frequency and handling password reuse.

Read about why the biggest problem with passwords is not what you think it is.

Learn more about how LogMeIn responded after discovering stolen user credentials in data dumps.

Dig Deeper on Public Cloud Computing Security