Dropbox is making users reset old passwords, but it says it hasn't been hacked

Advertisement

dropbox ceo drew houston

Drew Angerer/Getty Images

Drew Houston, chief executive officer of Dropbox.

Dropbox is forcing users with old passwords to change them.

Advertisement

The file-hosting company announced in a blog post that as a "preventative measure," it is prompting anyone with a password that hasn't changed since mid-2012 to change it.

There is, Dropbox says, "no indication that your account has been improperly accessed" if you see this prompt.

Complimentary Tech Event
Transform talent with learning that works
Capability development is critical for businesses who want to push the envelope of innovation.Discover how business leaders are strategizing around building talent capabilities and empowering employee transformation.Know More

So what's the rationale behind the move?

Well back in 2012, Dropbox disclosed that someone had managed to gain unauthorised access to the account of a Dropbox employee (because the employee had reused a password from another site that had been hacked). On his account, the company said at the time, was a "project document with user email addresses" - and this was subsequently used to spam Dropbox users.

Advertisement

This is where it gets a little unclear. In this week's blog post, Dropbox says its security team "learned about an old set of Dropbox user credentials (email addresses plus hashed and salted passwords) that we believe was obtained in 2012," and that its analysis "suggests that the credentials relate to an incident we disclosed around that time." (Note: Salting and hashing are ways of encrypting and securing passwords so even if stolen, they should be useless to the hacker.)

This implies that the salted and hashed passwords came from the 2012 theft. But the blog post in 2012 doesn't mention the theft of any passwords - only user email addresses.

The other alternative is that they come from other major hacks that have recently come to light, like LinkedIn and MySpace, and have subsequently been combined with the Dropbox email data. But that's not what the recent blog post makes it sound like.

We've reached out to Dropbox for clarification on this.

Either way, the important point is that hackers can - and do, very frequently - employ this latter technique of taking login details from one hacked site and testing them on other sites to see if they work. This is why security experts recommend using strong, unique passwords for every account you have - because if you re-use passwords, once one account is compromised, they all are.

Advertisement

It's a dead simple technique, and it's believed to be behind the recent spate of hacks of Twitter accounts belonging to celebrities and high-profile users like Katy Perry and Mark Zuckerberg.

So if you re-use passwords, go ahead and change them - and use a password manager app if you have trouble remembering them.

NOW WATCH: Amazing video shows what the inside of a gun looks like when it's being fired