Dropbox just reset my user password
I check my emails first thing in the morning to make sure I do not miss anything important right away. Imagine my surprise when I received an email from the Dropbox team notifying me that my Dropbox password had been reset. I first thought that Dropbox had been hacked and the team decided to play it safe and reset all user passwords. Then I read on and noticed that this was not the case. According to the email, no suspicious activity was discovered, and the only reason for reseting the password according to the email is that some users use the same password on multiple services.
Hi Martin,
Recently, passwords have been stolen from some Internet services. This is a problem because many people use the same password on multiple services, which is unsafe.
As a precaution, we’ve reset your password and you can create a new one here.
We haven’t detected any suspicious activity in your Dropbox, but we’re proactively taking steps to keep users safe.
We know it’s easy to use a single password across different websites, but this means if any one site is compromised, all your accounts are at risk. If you’ve ever used the same password for more than one website, you should create new unique passwords for each of them. Tools like 1Password do this for you and can help make your accounts safer.
Best,
- The Dropbox Team
I verified both links in the email and they are both pointing to Dropbox.com, which eliminates the possibility of a phishing attack. One links to the blog for additional information, the other to the reset password page on the site.
According to the blog post, not all Dropbox passwords have been reset, but users who have not changed their password in a long time or have a commonly used password are affected by this.
Dropbox furthermore has improved security significantly. The company has introduced a page that highlights all active logins to the account and will furthermore integrate two-factor authentication to Dropbox in the coming weeks.
The blog post addresses the spam mails that some Dropbox users have received in the last two week period. According to Dropbox, attackers managed to get hold of an employee's Dropbox account that contained a document with user email addresses.
Resetting user passwords when there is no sign of a security breach or misuse is a bold move that is certainly going to irritate part of the userbase that is affected by this. When you look at the comments on the blog you will notice that many are furious about the change, with some even expecting a cover-up of sorts.
Advertisement
I don’t remember my user name n password. I had pictures on the file n videos
It’s not that they can see your password but they can resetit on the server. Also i think what they mean by common password is that alot of people use the same password over and over on different accounts and if some one hacks your account (as we know notinth is full proof) it is more and likely they have use the same password for dropbox and there email. I’m happy a compy like this has taken the time to see our files are safe.
So come clean, Martin. Were you using that password on other sites? :)
No I was not. I use unique passwords for all accounts.
Dropbox WAS hacked: http://news.cnet.com/8301-1009_3-57483998-83/dropbox-confirms-it-was-hacked-offers-users-help/
Well I would not really call that hacked to be honest.
I would call it hacked :
Our investigation found that usernames and passwords recently stolen from other websites were used to sign in to a small number of Dropbox accounts. We’ve contacted these users and have helped them protect their accounts.
A stolen password was also used to access an employee Dropbox account containing a project document with user email addresses. We believe this improper access is what led to the spam. We’re sorry about this, and have put additional controls in place to help make sure it doesn’t happen again…
I would call it hacked.
http://blog.dropbox.com/index.php/security-update-new-features/
Our investigation found that usernames and passwords recently stolen from other websites were used to sign in to a small number of Dropbox accounts. We’ve contacted these users and have helped them protect their accounts.
A stolen password was also used to access an employee Dropbox account containing a project document with user email addresses. We believe this improper access is what led to the spam. We’re sorry about this, and have put additional controls in place to help make sure it doesn’t happen again….
Just one more thing that folks will complain about and then accept. The gods reside in the cloud. Y’all are welcome to it.
I too was surprised when I received the email and was immediately upset that they had just up and reset my password. But honestly, I’d rather they did that than go for 6 months and THEN notifying users saying how they think that they had a security breach 6 months ago and have been investigating it and are NOW working with the potentially affected users.
It’s just one of the many risks of using “cloud” services.
Microsoft has reduced the number of characters. My passwords have been truncated.
http://answers.microsoft.com/en-us/windowslive/forum/liveid-signin/why-a-password-16-character-length-max-for-windows/4b83a513-640c-4630-b986-840382e4efe9
I do agree that I’d prefer a false-positive password reset over one time where the company reacts to late or not at all. The reason given here, passwords that have not been changed for some time, is however something that I’d not consider reason enough to reset a user’s password.
I’ve never understood why not change password for a long time is a risk factor. The other day, my banker made me thinking in seeing that I didn’t change mine for a few years…. I said: but a password composed of 6 digits, you believe that it is perhaps secure? And explain what is a strong password…
There is no definition of a secure password. I’m currently using 20+ character passwords using upper- and lowercase characters, numbers and special characters for all passwords where the length is not limited to less.
I definitely welcome 2-Factor authentication.
I agree. I’m using this for some time now on Google and PayPal and like it a lot.
If they protect phone numbers as the address emails or passwords, I wish you fun…
I got the email as well. I use a unique password in any case but the astounding news here is storing user emails in a regular old dropbox account. They are absolutely insane to have done that.
“According to the blog post, not all Dropbox passwords have been reset, but users who have not changed their password in a long time or have a commonly used password are affected by this.”
I wonder: How can they know that a password is commonly used? This is so that they can read, what theoretically should not be the case…
We do not know because they do not share how passwords are stored on their servers. I doubt it is plain text but everything beyond that, who knows.