Dropbox is forcing users with old passwords to change them.

The file-hosting company announced in a blog post that as a “preventative measure,” it is prompting anyone with a password that hasn’t changed since mid-2012 to change it.

There is, Dropbox says, “no indication that your account has been improperly accessed” if you see this prompt.

So what’s the rationale behind the move?

Well back in 2012, Dropbox disclosed that someone had managed to gain unauthorised access to the account of a Dropbox employee (because the employee had reused a password from another site that had been hacked). On his account, the company said at the time, was a “project document with user email addresses” — and this was subsequently used to spam Dropbox users.

This is where it gets a little unclear. In this week’s blog post, Dropbox says its security team “learned about an old set of Dropbox user credentials (email addresses plus hashed and salted passwords) that we believe was obtained in 2012,” and that its analysis “suggests that the credentials relate to an incident we disclosed around that time.” (Note: Salting and hashing are ways of encrypting and securing passwords so even if stolen, they should be useless to the hacker.)

This implies that the salted and hashed passwords came from the 2012 theft. But the blog post in 2012 doesn’t mention the theft of any passwords — only user email addresses.

The other alternative is that they come from other major hacks that have recently come to light, like LinkedIn and MySpace, and have subsequently been combined with the Dropbox email data. But that’s not what the recent blog post makes it sound like.

Someone familiar with the matter told Business Insider it was the former — that the passwords were taken in 2012, and that fact has only come to light now, prompting the reset.

The important point is that hackers can — and do, very frequently — employ this latter technique of taking login details from one hacked site and testing them on other sites to see if they work. This is why security experts recommend using strong, unique passwords for every account you have — because if you re-use passwords, once one account is compromised, they all are.

It’s a dead simple technique, and it’s believed to be behind the recent spate of hacks of Twitter accounts belonging to celebrities and high-profile users like Katy Perry and Mark Zuckerberg.

So if you re-use passwords, go ahead and change them — and use a password manager app if you have trouble remembering them.

Advertisements