Dropbox started notifying users today, asking them to reset their account password, following a security breach that occurred in mid-2012.
The email that users received contained a link to a Dropbox help topic, where the company explained to users the reasons why they were taking these steps.
Dropbox learned of security breach dating back to mid-2012
As Dropbox wrote, the company recently became aware of the presence of some old Dropbox user details online. This data included email addresses, and hashed & salted passwords.
After analyzing the data, Dropbox believes the breach occurred in mid-2012, and as such, is asking all users that registered on its site before mid-2012 to reset their account passwords.
Only users that registered before that date and those who have not reset their password since then were notified via email.
Dropbox investigated the breach in 2012 but didn’t detect its true size
The company tied the incident to a blog post it wrote on July 31, 2012. Back then, the Dropbox crew explained that some users that registered on the site with a unique email address started receiving spam, meaning their email address was exposed outside Dropbox servers.
Dropbox investigated and discovered that unknown hackers had accessed some user accounts. The Dropbox staff said that most incidents that occurred in 2012 were because of password reuse, and not because of a server breach, a reason why not all users were prompted to update their passwords in 2012.
Now, the company is taking this step before attackers start using the old data to compromise user accounts. Dropbox’s action is a precautionary measure, and the company says that it didn’t detect any new events where crooks illegally accessed user accounts.
Most people use Dropbox to back up important documents. It may be a good idea that those users (and everyone else) turn on two-factor authentication (2FA) for their accounts, which Dropbox has been supporting since its early days.
Dropbox is one of the happy cases where security really matters inside a company. For example, Sony, after the devastating data breach from 2011 that brought down the PlayStation Network for 23 days, only yesterday announced support for 2FA for the PlayStation Network, five years later.
