Dropbox users that haven’t updated their passwords prior to mid-2012 will prompted to change it when they next sign in. The company made this announcement yesterday in a blog post by Patrick Heim, Head of Trust & Security for Dropbox. As Heim described their motivation,
Our security teams are always watching out for new threats to our users. As part of these ongoing efforts, we learned about an old set of Dropbox user credentials (email addresses plus hashed and salted passwords) that we believe was obtained in 2012. Our analysis suggests that the credentials relate to an incident we disclosed around that time.
Based on our threat monitoring and the way we secure passwords, we don’t believe that any accounts have been improperly accessed. Still, as one of many precautions, we’re requiring anyone who hasn’t changed their password since mid-2012 to update it the next time they sign in.
The incident he mentioned was in 2012, and involved usernames and passwords that were stored in a file, and which recently have been used to access some accounts.
Users are also being asked to set up two-factor authentication, which many avoid because of increasing login time, but which is a wise security move.