Dropbox may have reset your password, just now
If you are a Dropbox customer, you may have received an email from the company informing you that it reset the password of the Dropbox account.
The email offers little information about the why, only that it is a reaction of a security incident that took place in mid-2012.
What this means is that user accounts are only affected by this if they are at least this old.
We’re reaching out to let you know that if you haven’t updated your Dropbox password since mid-2012, you’ll be prompted to update it the next time you sign in. This is purely a preventative measure, and we’re sorry for the inconvenience.
To learn more about why we’re taking this precaution, please visit this page on our Help Center. If you have any questions, feel free to contact us at [email protected].
Dropbox's email contains a link to a FAQ help page that answers some of the questions. Probably the most important answers are what you need to do right now, and why the password was reset in first place.
Reason for the password reset
It appears that Dropbox got their hands on a dump file that lists Dropbox user credentials. According to the company, it contains Dropbox usernames (usually an email address), and salted passwords.
All Dropbox users who are on that list receive an email from Dropbox with the information posted above.
Dropbox considers this move a precaution, as it is not aware of any attacks against the accounts on that list, or unauthorized access to one or multiple of the Dropbox accounts on that list.
We are prompting a password update purely as a preventive measure. We have no indication your account was improperly accessed.
Affected users will be prompted to change their account password on the next sign in to Dropbox. This is only the case for users who have not changed their passwords since mid-2012. If you did, you are good.
What Dropbox wants you to do
Dropbox reset affected account passwords. This means that you will receive a prompt to create a new password on the first sign in to the service on dropbox.com.
You may initiate the "forgot your password" process instead if you prefer it that way. Simply enter your Dropbox email on the first page, click on the link in the email that you will receive, and enter a new password for the account.
Also, if you have two-factor authentication enabled, you need to confirm that second step of authorization to complete the process.
Note: If you used the email and password credentials on other sites, you may want to update passwords on those sites as well as attackers may try to sign in using the combination (if they are able to crack the password).
Also, two-factor authentication SMS codes are delayed currently, it appears.
Now you: Did you receive an email from Dropbox?
I got this email as well and logged in to Dropbox. It did not reset my password, nor had any notifications on the site that it will do so.
Hmm!
Huh? Will someone please explain what possibly could have happened that took four+ years to discover or whether Dropbox is likely fibbing about something.
They deleted my account instead. They said I hadn’t used it for 5 years or something. Probably true.
Hello.
I have Never had a Dropbox account and yet I Still received this Notification at my e-mail address.
What Gives?
i
Now that’s what I would call being proactive (to the max). ;)
Actually, it’s only about your email address being used as your username at other sites you visit/join (like LinkedIn), which is an absolutely normal thing these days (and the potential for some users to use the same password across a number of sites). Maybe if so many sites didn’t force/default people to use their email address as their username…? Still, they shouldn’t force-reset passwords arbitrarily.
The only mail I’ve got from them was another (3rd) notification that my account will be deleted in 15 days. Which I really don’t need since they added Condoleezza Rice to the board of directors – that was security and privacy reason enough to say “thanks” for their service.
Oh after all those years they finally admit it.
Well, lets see if my email arrives or if this was yet another leak.
I didn’t receive e-mail from Dropbox. Well, I don’t store sensitive data in the cloud, except Keepass, but it’s encrypted, so I don’t worry.
Thank you the information, Martin!
Thanks for the heads up, Martin.
Seems like it’s more and more difficult to trust cloud storage services.
Luckily I encrypt everything before uploading it.
Encryption is the best thing you can do if you plant files in the cloud.