Dropbox urges users to update their old passwords

It's a "purely preventative" measure, claims the company

Cloud storage company Dropbox is emailing users, insisting that they change their passwords - but is equally insistent that it hasn't been hacked.

The warning email from Dropbox is targeted at users who haven't updated their password since mid-2012 or earlier, explaining that they will be prompted to do so as a mandatory action next time they try to sign in.

The company was keen to emphasise that the measure is "purely preventative" and that there is no evidence that the site has been compromised in any way.

However, Dropbox was hacked in the middle of 2012 and that's maybe why it's targeting specific customers, although the hack was disclosed and widely reported at the time.

The support page explained: "Our security teams are always watching out for new threats to our users. As part of these ongoing efforts, we learned about an old set of Dropbox user credentials (email addresses plus hashed and salted passwords) that we believe were obtained in 2012. Our analysis suggests that the credentials relate to an incident we disclosed around that time.

"Based on our threat monitoring and the way we secure passwords, we don't believe that any accounts have been improperly accessed. Still, as one of many precautions, we're requiring anyone who hasn't changed their password since mid-2012 to update it the next time they sign in."

This information isn't in the rather perfunctory email, which is as vague as possible presumably to avoid scaring the horses.

Dropbox offers two-step verification and works with FIDO standard security keys, but even customers using these services are being asked to change just in case.

Users of 4chan and Reddit claimed in 2014 to have stumbled across a list of seven million Dropbox passwords, but the company strenuously denied that these were from a hack, and indeed from its customers' accounts at all.

Whistleblower Edward Snowden has repeatedly singled out Dropbox as a danger to personal data, describing it as "a threat to privacy". He urged users to switch to SpiderOak instead.

Dropbox, meanwhile, is strongly considering a public share offering in 2017 as it looks to follow its bigger rival Box to market.