Dropbox just reset my user password

Martin Brinkmann
Aug 1, 2012
Updated • Dec 26, 2012
Internet
|
20

I check my emails first thing in the morning to make sure I do not miss anything important right away. Imagine my surprise when I received an email from the Dropbox team notifying me that my Dropbox password had been reset.  I first thought that Dropbox had been hacked and the team decided to play it safe and reset all user passwords. Then I read on and noticed that this was not the case. According to the email, no suspicious activity was discovered, and the only reason for reseting the password according to the email is that some users use the same password on multiple services.

Hi Martin,

Recently, passwords have been stolen from some Internet services. This is a problem because many people use the same password on multiple services, which is unsafe.

As a precaution, we’ve reset your password and you can create a new one here.

We haven’t detected any suspicious activity in your Dropbox, but we’re proactively taking steps to keep users safe.

We know it’s easy to use a single password across different websites, but this means if any one site is compromised, all your accounts are at risk. If you’ve ever used the same password for more than one website, you should create new unique passwords for each of them. Tools like 1Password do this for you and can help make your accounts safer.

Best,
- The Dropbox Team

I verified both links in the email and they are both pointing to Dropbox.com, which eliminates the possibility of a phishing attack. One links to the blog for additional information, the other to the reset password page on the site.

According to the blog post, not all Dropbox passwords have been reset, but users who have not changed their password in a long time or have a commonly used password are affected by this.

dropbox active sessions

Dropbox furthermore has improved security significantly. The company has introduced a page that highlights all active logins to the account and will furthermore integrate two-factor authentication to Dropbox in the coming weeks.

The blog post addresses the spam mails that some Dropbox users have received in the last two week period. According to Dropbox, attackers managed to get hold of an employee's Dropbox account that contained a document with user email addresses.

Resetting user passwords when there is no sign of a security breach or misuse is a bold move that is certainly going to irritate part of the userbase that is affected by this. When you look at the comments on the blog you will notice that many are furious about the change, with some even expecting a cover-up of sorts.

Advertisement

Tutorials & Tips


Previous Post: «
Next Post: «

Comments

  1. ixckra said on September 22, 2012 at 1:01 am
    Reply

    I don’t remember my user name n password. I had pictures on the file n videos

  2. damian said on August 2, 2012 at 5:56 am
    Reply

    It’s not that they can see your password but they can resetit on the server. Also i think what they mean by common password is that alot of people use the same password over and over on different accounts and if some one hacks your account (as we know notinth is full proof) it is more and likely they have use the same password for dropbox and there email. I’m happy a compy like this has taken the time to see our files are safe.

  3. Bob said on August 1, 2012 at 6:58 pm
    Reply

    So come clean, Martin. Were you using that password on other sites? :)

    1. Martin Brinkmann said on August 1, 2012 at 7:43 pm
      Reply

      No I was not. I use unique passwords for all accounts.

  4. Morely the IT Guy said on August 1, 2012 at 4:11 pm
    Reply
    1. Martin Brinkmann said on August 1, 2012 at 5:22 pm
      Reply

      Well I would not really call that hacked to be honest.

      1. ilev said on August 1, 2012 at 7:44 pm
        Reply

        I would call it hacked :

        Our investigation found that usernames and passwords recently stolen from other websites were used to sign in to a small number of Dropbox accounts. We’ve contacted these users and have helped them protect their accounts.

        A stolen password was also used to access an employee Dropbox account containing a project document with user email addresses. We believe this improper access is what led to the spam. We’re sorry about this, and have put additional controls in place to help make sure it doesn’t happen again…

      2. ilev said on August 1, 2012 at 7:06 pm
        Reply

        I would call it hacked.

        http://blog.dropbox.com/index.php/security-update-new-features/

        Our investigation found that usernames and passwords recently stolen from other websites were used to sign in to a small number of Dropbox accounts. We’ve contacted these users and have helped them protect their accounts.

        A stolen password was also used to access an employee Dropbox account containing a project document with user email addresses. We believe this improper access is what led to the spam. We’re sorry about this, and have put additional controls in place to help make sure it doesn’t happen again….

  5. kalmly said on August 1, 2012 at 3:39 pm
    Reply

    Just one more thing that folks will complain about and then accept. The gods reside in the cloud. Y’all are welcome to it.

  6. Dustin said on August 1, 2012 at 2:21 pm
    Reply

    I too was surprised when I received the email and was immediately upset that they had just up and reset my password. But honestly, I’d rather they did that than go for 6 months and THEN notifying users saying how they think that they had a security breach 6 months ago and have been investigating it and are NOW working with the potentially affected users.

    It’s just one of the many risks of using “cloud” services.

    1. Nerdebeu said on August 1, 2012 at 7:23 pm
      Reply
    2. Martin Brinkmann said on August 1, 2012 at 3:09 pm
      Reply

      I do agree that I’d prefer a false-positive password reset over one time where the company reacts to late or not at all. The reason given here, passwords that have not been changed for some time, is however something that I’d not consider reason enough to reset a user’s password.

      1. Nerdebeu said on August 1, 2012 at 5:46 pm
        Reply

        I’ve never understood why not change password for a long time is a risk factor. The other day, my banker made me thinking in seeing that I didn’t change mine for a few years…. I said: but a password composed of 6 digits, you believe that it is perhaps secure? And explain what is a strong password…

      2. Martin Brinkmann said on August 1, 2012 at 6:27 pm
        Reply

        There is no definition of a secure password. I’m currently using 20+ character passwords using upper- and lowercase characters, numbers and special characters for all passwords where the length is not limited to less.

  7. Bee.GH said on August 1, 2012 at 2:13 pm
    Reply

    I definitely welcome 2-Factor authentication.

    1. Martin Brinkmann said on August 1, 2012 at 3:09 pm
      Reply

      I agree. I’m using this for some time now on Google and PayPal and like it a lot.

      1. Nerdebeu said on August 1, 2012 at 5:42 pm
        Reply

        If they protect phone numbers as the address emails or passwords, I wish you fun…

  8. CommentPony said on August 1, 2012 at 12:42 pm
    Reply

    I got the email as well. I use a unique password in any case but the astounding news here is storing user emails in a regular old dropbox account. They are absolutely insane to have done that.

  9. Nerdebeu said on August 1, 2012 at 12:23 pm
    Reply

    “According to the blog post, not all Dropbox passwords have been reset, but users who have not changed their password in a long time or have a commonly used password are affected by this.”

    I wonder: How can they know that a password is commonly used? This is so that they can read, what theoretically should not be the case…

    1. Martin Brinkmann said on August 1, 2012 at 3:04 pm
      Reply

      We do not know because they do not share how passwords are stored on their servers. I doubt it is plain text but everything beyond that, who knows.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.