This story is over 5 years old.


Dropbox Forces Password Resets After User Credentials Exposed

Earlier this month, data traders circulated a sample of apparent Dropbox user accounts in anticipation of a larger sale.
Image: Che Saitta-Zelterman

Dropbox is forcing a number of users to change their passwords after discovering a set of account details linked to an old data breach.

"The next time you visit, you may be asked to create a new password. We proactively initiated this password update prompt for Dropbox users who meet certain criteria," the company writes on its website. This will apply to users who created their accounts before mid-2012, and who have not changed their password since.


The company has also sent emails to users, informing them of the move. "This is purely a preventive measure, and we're sorry for the inconvenience," the email reads.

On its website, the company says the credentials are related to a previously disclosed incident from 2012.

"Our security teams are always watching out for new threats to our users. As part of these ongoing efforts, we learned about an old set of Dropbox user credentials (email addresses plus hashed and salted passwords) that we believe were obtained in 2012. Our analysis suggests that the credentials relate to an incident we disclosed around that time," the company writes.

In a potentially related move, data traders earlier this month circulated a sample of alleged account details for the site.

A few weeks ago, Motherboard obtained a small sample of just under 30 email addresses and hashed passwords that were advertised as belonging to Dropbox. Twenty-three corresponded to accounts on the site. A hacker claimed he was able to access some of the accounts by looking up passwords of the same users in other data collections.

Multiple data traders relayed to Motherboard that the accounts were supposedly from a larger breach of Dropbox from a number of years ago, and that the sample was released in anticipation of a larger sale of data.

It is not immediately clear whether the sample Motherboard obtained is the same set of credentials that spurred Dropbox's password reset. The company was not able to provide clarification in time for publication.

"We don't disclose specifics of our investigations for security reasons," Nick Morris, a Dropbox spokesperson, said in an email.

The lesson: As Dropbox recommends, users should avoid using the same password on multiple services and enable two-factor authentication. That way, even if your account was affected by a breach or other incident, the damage would be minimised.