Dropbox Forces Some Users to Reset Passwords; Cites Leaked Credential Cache

Dropbox has sent out password resets to all of its users that have signed up for the service prior to mid-2012, or not changed their password since that time. The company asserts that no accounts have been hacked, and the reset is being done as "purely a preventative measure".

The cloud storage company elaborates that measure is being taken after its intelligence team obtained an old set of Dropbox credentials (email addresses as well as hashed and salted passwords that may have been leaked in an 'incident' in 2012, referring to the massive Linkedin hack that year. The usernames and passwords stolen in the Linkedin hack, were used to sign in to many Dropbox accounts as well at that time. This obtained file also links back to the LinkedIn hack, and Dropbox is taking preventive measures to stop it from reoccurring. This file was held quietly for many years, but as it surfaced again, Dropbox wants all of its old users to reset their passwords.

Our security teams are always watching out for new threats to our users. As part of these ongoing efforts, we learned about an old set of Dropbox user credentials (email addresses plus hashed and salted passwords) that we believe were obtained in 2012. Our analysis suggests that the credentials relate to an incident we disclosed around that time. Based on our threat monitoring and the way we secure passwords, we don't believe that any accounts have been improperly accessed. Still, as one of many precautions, we're requiring anyone who hasn't changed their password since mid-2012 to update it the next time they sign in.

If you are a Dropbox user, we recommend you to change your password anyway, even if you've registered for the service post 2012. Users who joined Dropbox before mid-2012, or who haven't changed their password since then, will get a password reset prompt automatically when they next sign in. Just follow the steps to change password, and ensure that you have strong password for added security (Dropbox has a password strength meter, use a mix of letters, numerals, and symbols). For users who haven't received a prompt, head to this page, enter registered email ID, and click the link that you receive in email to enter your new password.

Dropbox even asks users to enable two-step verification for added security. In order to enable this, sign-in to Dropbox, and head to Settings > Security > Enable Two-Step Verification. This will add OTP as an added process every time you log-in. In 2014, Dropbox faced its first massive leak. An anonymous hacker got hold of roughly 7 million usernames and passwords and posted them all on PasteBin. However, Dropbox refused to acknowledge the leak, and claimed that the usernames and passwords were unfortunately stolen from other services and used in attempts to log in to Dropbox accounts.