Online storage platform Dropbox is resetting user passwords that have not been changed since 2012, the company has announced. The move is a precautionary step rather than the result of a new security incident.
In a blog post outlining the move, Patrick Heim, head of trust & security, said any user that opened an account before the middle of 2012 and had not changed the password since then would be asked to do so next time they log in.
“We’re doing this purely as a preventive measure, and there is no indication that your account has been improperly accessed,” the blog said.
All this stems from the problem of password reuse—where a user picks the same password for multiple websites or services. Back in 2012, Dropbox revealed that a security breach at the company had occurred when a number of user accounts were accessed, using credentials stolen from another website, possibly LinkedIn or even the MySpace hack.
One of the accessed accounts belonged to a Dropbox employee, whose account contained a document that listed user email addresses. These email addresses were stolen and subsequently targeted by spam emails.
Now it seems that the company is concerned credentials stolen in those breaches could be used to access those Dropbox accounts that have not changed passwords since 2012.
Password reuse is one of the most common way hackers gain access to user accounts. Once an email address and password are stolen from one service, the hacker will try the same combination on other websites, often with success. Making sure passwords are unique and regularly changing is one good step to take to improve your online security.
Another step, which Dropbox has suggested, is to use two-factor authentication wherever it is offered. Once set up, 2FA is a great way to add a layer of security to online accounts by sending a unique, one-time code to a mobile device, which then has to be entered alongside the password for access to be granted.
Photo © Markus Gann