Dropbox is requiring that all users with an account prior to mid-2012 that haven’t changed their password since that time go ahead and reset their password the next time they sign in.
Patrick Heim, Head of Trust & Security for Dropbox, said that their security teams are always watching out for new threats that could impact users. Recently, they learned about an old set of Dropbox user credentials – e-mail addresses as well as hashed and salted passwords – that were likely obtained by a bad actor in 2012.
Heim said they believe it is related to an incident they reported in July 2012.
The good news is that it appears as though none of the compromised accounts have been improperly accessed but out of an abundance of caution, Dropbox is requiring those who haven’t changed their passwords since that time to do so now. Dropbox also recommends the use of two-factor authentication.
In fact, it’s probably a good idea to go ahead and change the credentials for all of your online accounts, giving each one a unique password that wouldn’t be easy to guess. Dropbox is also sending e-mails to some users to inform them of the move.
Considering that many people use the same password across multiple online accounts, it’s no surprise that some hackers are cross-referencing the data in this breach with information obtained from other leaks to gain access to various other accounts and services.
In an e-mail to Motherboard, Dropbox spokesperson Nick Morris said they don’t disclose specifics of their investigations for security reasons.
Image courtesy Ruslan Grumble, Shutterstock