Cloud storage provider Dropbox sent email notifications to longtime users who had not changed their passwords since mid-2012, urging them to change their passwords now -- and consider enabling two-factor authentication, while they are at it.
Although Dropbox claimed the move was purely a "preventive measure," and there were no indications any customer accounts had been improperly accessed, questions remain about the reason for the notification.
"Our security teams are always watching out for new threats to our users. As part of these ongoing efforts, we learned about an old set of Dropbox user credentials (email addresses plus hashed and salted passwords) that we believe was obtained in 2012. Our analysis suggests that the credentials relate to an incident we disclosed around that time," Patrick Heim, head of trust and security at Dropbox, wrote in a blog post.
"Based on our threat monitoring and the way we secure passwords, we don't believe that any accounts have been improperly accessed. Still, as one of many precautions, we're requiring anyone who hasn't changed their password since mid-2012 to update it the next time they sign in."
Some were quick to recall that Dropbox passwords were misused in 2012, when Aditya Agarwal, vice president of engineering, wrote that a Dropbox investigation "found that usernames and passwords recently stolen from other websites were used to sign in to a small number of Dropbox accounts."
Marc Rogers, security researcher at CloudFlare, tweeted:
Definitely not related to an incident that definitely wasn't a breach 4 years ago in 2012 either. https://t.co/sUJVrYFZpL— Marc Rogers (@marcwrogers) August 27, 2016
In 2014, an anonymous hacker claimed to have obtained Dropbox passwords and usernames for 6.9 million accounts, but Dropbox denied a breach. Anton Mityagin, Dropbox's security engineering manager, wrote, "The usernames and passwords referenced in these articles were stolen from unrelated services, not Dropbox. Attackers then used these stolen credentials to try to log in to sites across the internet, including Dropbox. We have measures in place to detect suspicious login activity and we automatically reset passwords when it happens."
Find out more about password change frequency and handling password reuse.