Online storage service Dropbox began notifying users over the weekend that if they haven’t updated their password since 2012, they’ll be prompted to update it the next time they log into their account.
The company claims the move is “purely a preventative measure” and stressed that there’s no proof users’ accounts have been improperly accessed.
Patrick Heim, the company’s Head of Trust and Security, informed users late Thursday the move follows the discovery of a cache of Dropbox user credentials that date back to 2012. The database contains email addresses, plus hashed and salted passwords, according to Heim.
“Based on our threat monitoring and the way we secure passwords, we don’t believe that any accounts have been improperly accessed,” Heim wrote, “Still, as one of many precautions, we’re requiring anyone who hasn’t changed their password since mid-2012 to update it the next time they sign in.”
The company doesn’t believe that any accounts have been breached but it’s still covering its bases by forcing a password change for older user accounts. Hashing and salting passwords isn’t a silver bullet but it does make it more difficult to decipher passwords.
The company is encouraging users to update to a more robust password and if they haven’t enabled two-step verification to do so in order to add an extra layer of security to their account. The company is also encouraging users who have used the same password for another service to change that password as well.
Dropbox believes the set of leaked user credentials stems from an incident it dealt with in the summer of 2012, when an attacker used a handful of illicitly obtained usernames and passwords to break into Dropbox accounts, including one belonging to a Dropbox employee.
Users were hit with spam emails advertising casinos and other gambling services at the time. Despite user complaints Dropbox was resolute for about two weeks that it hadn’t seen any unauthorized activity on the service. It eventually acknowledged the incident a few weeks later in August.
Dropbox bolstered its security in the wake of the incident; it was one of the first services to implement two-factor authentication following the breach. It also launched an automated mechanism that it uses to detect suspicious activity.
Last spring, with help from HackerOne, the company launched a bug bounty program to pay security researchers who discover vulnerabilities in the service.