Dropbox is requiring users who have not changed their passwords since mid-2012 to reset their passwords this afternoon.
The action appears to be related to continued fallout over the massive hack on LinkedIn in 2012 where credentials for 117 million accounts were posted online. In recent months, treasure troves of user credentials and passwords — in addition to a large MySpace hack disclosed in May — have been discovered. Even though the data for these accounts is old, often passwords remain unchanged for long periods of time and are re-used across multiple accounts, leaving entire online identities vulnerable to hacks.
Dropbox’s intelligence team identified the existence of a file that contained hashed and salted passwords, according to a person familiar with the matter. That file pertains to passwords that were likely obtained in connection to the LinkedIn hack. While the information appears to have been taken from then and quietly held for some time, it is now surfacing, this person said. Dropbox earlier disclosed that usernames and passwords that were obtained in 2012 were used to access some accounts.
So far, Dropbox doesn’t believe that any accounts have been improperly accessed, the company said in a blog post. During the 2012 incident, one Dropbox employee’s account was accessed with a project document that contained email addresses. In connection with the existence of the file, Dropbox is requiring its users to reset their passwords if they have remained unchanged.
It’s not surprising that Dropbox would react this way to account credentials surfacing. While a broad password reset can carry some negative optics, requiring a password reset is generally the best practice to ensure that it can lock down its data and keep the service from getting further compromised. If user hacks start creeping out and spread across more and more of its user base, it can undermine the security — and perception thereof — of a company. For a company holding onto your files, especially if they are sensitive or important, that perception can almost be as important as the security itself.
It’s generally good practice to not leave these old passwords sitting around. Dropbox’s efforts — while proactive — underscore the necessity of strong password usage. Just because passwords are on old services that fade into history (see: MySpace) doesn’t mean that they can’t come back and have repercussions today if they are always the same.
This is also just a good general moment in time to remind people to please set up two-factor authentication. Two-factor authentication may be a bit of a pain in the log-in process, but it’s one of the best ways to better secure an account. Two of the best-possible strategies to avoid security breaches across multiple accounts is to have two-factor authentication set up as well as using different passwords for different accounts to make sure there is no cross-pollination that leaves multiple account susceptible.