Dropbox may have reset your password, just now

Martin Brinkmann
Aug 26, 2016
Security
|
11

If you are a Dropbox customer, you may have received an email from the company informing you that it reset the password of the Dropbox account.

The email offers little information about the why, only that it is a reaction of a security incident that took place in mid-2012.

What this means is that user accounts are only affected by this if they are at least this old.

We’re reaching out to let you know that if you haven’t updated your Dropbox password since mid-2012, you’ll be prompted to update it the next time you sign in. This is purely a preventative measure, and we’re sorry for the inconvenience.

To learn more about why we’re taking this precaution, please visit this page on our Help Center. If you have any questions, feel free to contact us at password-reset-help@dropbox.com.

Dropbox's email contains a link to a FAQ help page that answers some of the questions. Probably the most important answers are what you need to do right now, and why the password was reset in first place.

Reason for the password reset

It appears that Dropbox got their hands on a dump file that lists Dropbox user credentials. According to the company, it contains Dropbox usernames (usually an email address), and salted passwords.

All Dropbox users who are on that list receive an email from Dropbox with the information posted above.

Dropbox considers this move a precaution, as it is not aware of any attacks against the accounts on that list, or unauthorized access to one or multiple of the Dropbox accounts on that list.

We are prompting a password update purely as a preventive measure. We have no indication your account was improperly accessed.

Affected users will be prompted to change their account password on the next sign in to Dropbox. This is only the case for users who have not changed their passwords since mid-2012. If you did, you are good.

What Dropbox wants you to do

Dropbox reset affected account passwords. This means that you will receive a prompt to create a new password on the first sign in to the service on dropbox.com.

You may initiate the "forgot your password" process instead if you prefer it that way. Simply enter your Dropbox email on the first page, click on the link in the email that you will receive, and enter a new password for the account.

Also, if you have two-factor authentication enabled, you need to confirm that second step of authorization to complete the process.

Note: If you used the email and password credentials on other sites, you may want to update passwords on those sites as well as attackers may try to sign in using the combination (if they are able to crack the password).

Also, two-factor authentication SMS codes are delayed currently, it appears.

Now you: Did you receive an email from Dropbox?

Summary
Article Name
Dropbox may have reset your password, just now
Description
If you have been a Dropbox user for a couple of years, you may have received a security email stating that your password has been reset.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

Previous Post: «
Next Post: «

Comments

  1. dc said on August 28, 2016 at 1:20 am
    Reply

    I got this email as well and logged in to Dropbox. It did not reset my password, nor had any notifications on the site that it will do so.

    Hmm!

  2. jmjsqared said on August 27, 2016 at 6:33 pm
    Reply

    Huh? Will someone please explain what possibly could have happened that took four+ years to discover or whether Dropbox is likely fibbing about something.

  3. Dave said on August 27, 2016 at 5:44 pm
    Reply

    They deleted my account instead. They said I hadn’t used it for 5 years or something. Probably true.

  4. intelligencia said on August 27, 2016 at 9:51 am
    Reply

    Hello.

    I have Never had a Dropbox account and yet I Still received this Notification at my e-mail address.
    What Gives?

    i

    1. Earl said on August 27, 2016 at 9:29 pm
      Reply

      Now that’s what I would call being proactive (to the max). ;)

  5. Earl said on August 26, 2016 at 11:40 pm
    Reply

    Actually, it’s only about your email address being used as your username at other sites you visit/join (like LinkedIn), which is an absolutely normal thing these days (and the potential for some users to use the same password across a number of sites). Maybe if so many sites didn’t force/default people to use their email address as their username…? Still, they shouldn’t force-reset passwords arbitrarily.

  6. insanelyapple said on August 26, 2016 at 11:51 am
    Reply

    The only mail I’ve got from them was another (3rd) notification that my account will be deleted in 15 days. Which I really don’t need since they added Condoleezza Rice to the board of directors – that was security and privacy reason enough to say “thanks” for their service.

  7. Ben said on August 26, 2016 at 10:14 am
    Reply

    Oh after all those years they finally admit it.
    Well, lets see if my email arrives or if this was yet another leak.

  8. anohana said on August 26, 2016 at 9:39 am
    Reply

    I didn’t receive e-mail from Dropbox. Well, I don’t store sensitive data in the cloud, except Keepass, but it’s encrypted, so I don’t worry.

    Thank you the information, Martin!

  9. Gabriel said on August 26, 2016 at 8:40 am
    Reply

    Thanks for the heads up, Martin.
    Seems like it’s more and more difficult to trust cloud storage services.
    Luckily I encrypt everything before uploading it.

    1. Martin Brinkmann said on August 26, 2016 at 9:13 am
      Reply

      Encryption is the best thing you can do if you plant files in the cloud.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.