The next time you visit dropbox.com, you may be asked to create a new password. We proactively initiated this password update prompt for Dropbox users who meet certain criteria. Specifically, we’re prompting the update for users who:
- Signed up to use Dropbox before mid-2012, and
- Have not changed their password since mid-2012
What should I do?
If you visit dropbox.com and see that you're being prompted to create a new password, simply follow the steps on the page.
Note: If you initiate a password update but don't receive the follow-up email, check the spam folder of your inbox. If the email isn't there, add firstname.lastname@example.org to your address book and then update your password again.
Alternatively, you can follow the steps below:
- Visit the password update page on dropbox.com.
- Enter your email address.
- Click the link in the email you receive.
Why did Dropbox prompt this password update?
Our security teams are always watching out for new threats to our users. As part of these ongoing efforts, we recently learned about an old set of Dropbox user credentials (email addresses plus hashed and salted passwords) that we believe were obtained in 2012.
We first heard rumors about this set two weeks ago and immediately began our investigation. We then emailed all users we believed were affected and completed a password reset for anyone who hadn’t updated their password since mid-2012. This reset ensures that even if these passwords are cracked, they can’t be used to access Dropbox accounts.
Based on our threat monitoring and the way we secure passwords, we don't believe that any accounts have been improperly accessed. Still, as one of many precautions, we’re requiring anyone who hasn’t changed their password since mid-2012 to update it the next time they sign in.
How do I know if I’m one of these users?
If your account was among this set of credentials, you'll:
- Receive an email from us at the address on your Dropbox account
- Be prompted to update your password the next time you visit dropbox.com
Does this mean my account was compromised? Is my data safe?
We are prompting a password update purely as a preventive measure. We have no indication your account was improperly accessed.
I received the email about this, but haven’t been prompted to update my password—what should I do?
If you received the email but were not prompted to update your password, then you do not need to do so. This means that you did not meet the criteria. We’re prompting the update for users who haven’t changed their Dropbox password since mid-2012.
However, if you’ve reused your password on other sites, you should update those passwords.
And to make your Dropbox even more secure, consider setting up two-factor authentication.
What if I lost access to my email address?
If you no longer have access to the email address on your account, there are a few things you can try. However, keep in mind that Dropbox cannot help you regain access to third-party services like email.
As with many online services, you must have an active email address in order to create a Dropbox account. Dropbox also requires that you have access to this email address to update your account password. This security procedure allows us to protect your account against unauthorized access.
What additional security measures can I take?
As always, we recommend that you do the following for all apps and services:
- Avoid reusing the same passwords across multiple services
- Create strong, unique passwords
- Only sign in to your account from secure devices, and always sign out if accessing on a non-personal device
- Enable two-step verification on your account
For additional resources on keeping your accounts secure, please visit our security and privacy page.
If you have questions or concerns, feel free to contact us.