Popular cloud storage provider Dropbox is urging users who haven’t changed their passwords since mid-2012, to update their credentials. The move comes after data from a 2012 breach resurfaced, prompting fears that the stolen information can be used to compromise user accounts.
Dropbox has sent out a note to its users, asking those who have not changed their passwords from mid-2012 to come up with new alphanumeric passwords.
“We are prompting a password update purely as a preventative measure,” a FAQ by Dropbox read. “We have no indication your account was improperly accessed.”
The company revealed that its security team learned of the resurfacing of an old batch of user credentials from 2012 that contained email addresses and salted hash passwords. At the time, usernames and passwords stolen from a significant breach were being used to sign into a number of Dropbox accounts. That significant breach is that of the LinkedIn hack, which saw some 117 million login credentials leaked online earlier this year.
Related read: Chinese Cybercriminal Gang Use Dropbox To Target Media Companies
More notably, a stolen password was used to access an employee’s Dropbox account, one which contained a document that held users’ email addresses. This, the investigation revealed, led to users of those email addresses receiving spam emails.
Now, that set of passwords and email addresses is turning up again.
The company stated:
Based on our threat monitoring and the way we secure passwords, we don’t believe that any accounts have been improperly accessed. Still, as one of many precautions, we’re requiring anyone who hasn’t changed their password since mid-2012 to update it the next time they sign in.
For good measure, the cloud storage provider is also recommending users enable two-factor authentication. Although not hacker-proof, the security feature in Dropbox requires users to enter a six-digit security code or key, in addition to the password, at the time of logging in.
Image credit: Pixabay.