Skip to main content

Dropbox hasn't been hacked but still wants you to change your password

These days, whenever a company tells its users to change their passwords, it's probably safe to assume that some kind of security breach has taken place. But that's not always the case.

Businesses are having to be more proactive then ever to protect themselves and their customers amidst the current threat landscape and cloud storage provider Dropbox seems to be embracing that spirit by encouraging its long-term users to change their passwords, despite no breach having taken place.

Users who haven't changed their passwords since 2012 are being urged to pick new ones, with Dropbox saying it is just a "preventive measure, and there is no indication that your account has been improperly accessed."

On a blog post published yesterday, Patrick Heim - head of trust and security at Dropbox - explained the company's reasoning: "Our security teams are always watching out for new threats to our users. As part of these ongoing efforts, we learned about an old set of Dropbox user credentials (email addresses plus hashed and salted passwords) that we believe was obtained in 2012.

"Our analysis suggests that the credentials relate to an incident we disclosed around that time."

So there's no need to panic, Dropbox hasn't been breached, but everyone should still take this as an opportunity to update their passwords. Organisations are finding it harder than ever to deal with data breaches and high-profile incidents affecting the likes of Oracle and Yahoo should have everyone thinking about their online security.

Dropbox should be applauded for being proactive. Hopefully other businesses will follow the example.

Charles Read, Regional Director for UK, Ireland and Benelux at OneLogin commented: "The recent announcement that Dropbox is to force password resets on accounts that haven’t been reset since 2012 is a really positive move to come from a vendor as large as Dropbox. For consumers, it's very common to see the same password being used for multiple services, despite contrary advice from multiple vendors.

"As such, the compromised LinkedIn credentials from 2012 could well be the same credentials that users still have for their Dropbox account, putting both themselves and Dropbox at risk. In the corporate world, utilising a password as the only form of authentication for multiple accounts is already considered as weak security, however we are yet to see consumers apply this approach to the protection of their personal credentials.

"By adopting two factor authentication on top of regular passwords it's possible to significantly reduce the risk coming from compromised credentials."

 Image Credit: / Shutterstock