14 DAY TRIAL // Dropbox has started notifying users today, asking them to reset their account passwords, following a security breach that occurred in mid-2012.
The email that users have received contains a link to a Dropbox help topic, where the company explains to users the reasons they are taking these steps.
Dropbox learned of security breach dating back to mid-2012
As Dropbox writes, the company recently became aware of the presence of some old Dropbox user details online. This data includes email addresses, and hashed & salted passwords.
After analyzing the data, Dropbox believes the breach occurred in mid-2012, and as such, it is asking all users who registered on its site before mid-2012 to reset their account passwords.
Only users who registered before that date and those who have not reset their password since then have been notified via email.
Dropbox investigated the breach in 2012 but didn't detect its true size
The company ties the incident to a blog post it wrote on July 31, 2012. Back then, the Dropbox crew explained that some users who registered on the site with a unique email address started receiving spam, meaning their email address was exposed outside Dropbox servers.
Dropbox investigated and discovered that unknown hackers had accessed some user accounts. The Dropbox staff said that most incidents that occurred in 2012 were because of password reuse, and not because of a server breach, a reason for which not all users were prompted to update their passwords in 2012.
Now, the company is taking this step before attackers start using the old data to compromise user accounts. Dropbox's action is a precautionary measure, and the company says that it didn't detect any new events where crooks illegally accessed user accounts.
Most people use Dropbox to back up important documents. It may be a good idea that those users (and everyone else) turn on two-factor authentication (2FA) for their accounts, which Dropbox has been supporting since its early days.
Dropbox is one of the happy cases where security really matters inside a company. For example, Sony, after the devastating data breach from 2011 that brought down the PlayStation Network for 23 days, only yesterday announced support for 2FA for the PlayStation Network, five years later.