If you haven't changed your Dropbox password for 4 years, do so now

Firm says mandatory reset is linked to 2012 LinkedIn mega-breach

Dropbox is forcing users to reset passwords that haven’t been changed since mid-2012, when LinkedIn suffered a mega-breach.

An email sent to Dropbox users this morning informed them that the reset was solely a preventative measure, and not as a result of any new breach.

Dropbox said that no accounts have been breached and the reset affects all users regardless of the strength of their passwords.

Back in 2012, Dropbox informed users that their security was in danger following the breach at LinkedIn, after an employee was hacked and the business sent out an awful lot of spam.

Speaking to The Register, Dropbox said the password reset is because of the LinkedIn breach, adding that Dropbox's threat intelligence team only very recently became aware of user credentials being shared in the wild. The company said it is investigating but was unwilling to offer any more information.

Dropbox implements independent security audits and certifications and offers bug bounties of at least $216 for the most trivial bugs, it told El Reg, with no upper limit on bounties paid – although the highest payout to date has been $78,317. In addition, Dropbox has built a password strength estimator called “zxcvbn” and “uses bcrypt to hash your passwords”, as well as offering 2FA for users. ®


Biting the hand that feeds IT © 1998–2017