Slashdot Mirror

← Back to Stories (view on slashdot.org)

Dropbox Is Urging Users To Reset Their Passwords (fortune.com)

Posted by msmash on from the security-woes dept.

Dropbox is forcing a number of users to change their passwords after the cloud storage company found some account details linked to an old data breach. "The next time you visit dropbox.com, you may be asked to create a new password. We proactively initiated this password update prompt for Dropbox users who meet certain criteria," the company writes on its website. Fortune reports: The popular cloud storage said the move was related to the theft of an old set of Dropbox credentials, dating back to 2012. So the users the company has contacted are those who created Dropbox accounts before mid-2012 and have not updated their passwords since that time. Dropbox disclosed in July 2012 that some users were getting spammed, and the cause appeared to be the theft of usernames and passwords from other websites. As is often the case, some people reuse their usernames and passwords across different web services. (If it still needs saying, you really shouldn't reuse your passwords, ever.)

30 comments

  1. I tried to change my password by Anonymous Coward · · Score: 0

    but accidentally knocked a bowl of piping hot grits down the front of my pants

  2. Contradiction by Anonymous Coward · · Score: 1

    "Dropbox is forcing a number of users to change their passwords after the cloud storage company found some account details linked to an old data breach. "

    "We proactively initiated this password update prompt"

    These two statements are in contradiction, and the speaker should learn the meaning of the word "proactive".

    1. Re:Contradiction by Coren22 · · Score: 0

      It may be that the data breach wasn't of their systems. Many people reuse passwords, as remembering 400 passwords is impossible for anyone. Personally I use LastPass instead, but not everyone realizes that is available.

      --
      APK likes to ask for responses to the same things over and over. Maybe he just likes the responses?
    2. Re:Contradiction by Anonymous Coward · · Score: 1

      How are services like last pass not just merely putting all your eggs into one basket?
      If they get compromised then your credentials for *every* site you stored there are now compromised and you have to go change all of them!

    3. Re:Contradiction by safetyinnumbers · · Score: 1

      Well if they get compromised it shouldn't be a problem, as they don't store anything to do with your password. All decryption is done client-side.

      If your computer has a keylogger or you're tricked into entering your lastpass password into a fake login page or something, then yes, you've just opened up all your passwords in one go.

    4. Re:Contradiction by Anonymous Coward · · Score: 0

      That's why you should use a local password manager. If you need to access your passwords from multiple devices, put the database in a dropbox. If you're paranoid, like me, put the database in a TrueCrypt container on dropbox.

  3. Mark Zuckerberg is a Cylon by Anonymous Coward · · Score: 1

    N/T

  4. Your password is old. by omnichad · · Score: 1

    This hit me yesterday after using Dropbox for the first time in a couple years. Just says "We noticed that you recently tried to log in to Dropbox with a password that you haven't changed in a while. Your old password expired and you'll need to create a new one to log in." No mention of any sort of breach or compromise

    1. Re:Your password is old. by sexconker · · Score: 2

      They found more account details in the wild from a 2012 breach. In 2012 they got hit and required some users to reset (no idea if they actually notified anyone). Now they're requiring more people hit in the 2012 breach to reset. I logged into Dropbox.com and was required to reset. I received no notification from Dropbox about it.

      If they're not notifying people then it's a disaster - no one logs into Dropbox.com. They install it on their PCs / phones and never go to the site.

    2. Re:Your password is old. by omnichad · · Score: 1

      If they're not notifying people then it's a disaster

      What's a disaster is not revoking login tokens for PCs/phones if there's any chance any of those could have been unauthorized.

    3. Re:Your password is old. by Anonymous Coward · · Score: 0

      Users can log in and see/revoke activated devices themselves.

    4. Re:Your password is old. by Cro+Magnon · · Score: 1

      Hell, I don't even remember what my Dropbox pw is! I do everything on my PC and it never asks for a password unless I install it on a new device.

      --
      Slow down, cowboy! It has been 4 hours since you last posted. You must wait another few hours.
    5. Re:Your password is old. by dotgain · · Score: 1

      Can users also log in and completely miss the point?

  5. Coming soon... by BringsApples · · Score: 1

    There will be a simple single word that explains: "We got hacked, please change your password until next time we get hacked."

    Any suggestions?

    --
    Politics; n. : A religion whereby man is god.
    1. Re:Coming soon... by Anonymous Coward · · Score: 0

      I think there's already a word: pwned.

      Dropbox Pwned.

  6. For a little moment I freaked out... by martiniturbide · · Score: 3, Funny

    ...I read Dosbox urges your to change your password... WHERE???!!!

  7. Why have passwords? by Anonymous Coward · · Score: 0

    If you have anything worth securing, you're not going to upload it to the cloud without strong encryption. So why not just let the employees, government and other nosey users easily download your files - they will do so anyway, after all.

  8. Reusing passwords by Anonymous Coward · · Score: 3, Insightful

    (If it still needs saying, you really shouldn't reuse your passwords, ever.)

    Yeah, that's great. Too bad practically every website and service on the planet now wants you to create an account to do anything remotely useful on the site, people will reuse passwords. Yeah, password managers are a thing (mine is pushing 200 sets of credentials), but average Joes don't know what they are, wouldn't know where to get one, and even if they did, wouldn't know how to install them. And even if they did manage to find, download, and install one, their database would be wiped out as soon as they got Cryptolocker or their hard drive failed because their computer has been sitting on shag carpeting for ten years and the case is practically welded shut from all the accreted gunk (they don't have backups because outside of tech geeks and sysadmins, practically nobody backs up anything ever, except maybe their car).

    1. Re:Reusing passwords by L'Ange+Oliver · · Score: 1

      There is a number of services that are becoming available through a "passwordless" approach (either through email or sms authentication). I wish it could get mainstream because currently, the hardest part is explaining properly to users how to use the system. I wrote a post on this: https://biogeniq.ca/en/article...

      --
      Decode your health
    2. Re:Reusing passwords by Anonymous Coward · · Score: 0

      SMS? you give anything but essential sites your phone number? the mind boggles

    3. Re:Reusing passwords by Anonymous Coward · · Score: 0

      I already have multiple variants of the same (crap) password depending on what stupid requirements the site has. e.g.

      hamster
      hamster2
      Hamster
      Hamster2
      Hamster2%
      etc etc

      what annoys me is they don't tell you about password restrictions until AFTER you have entered them. FFS SHOW IT AT ALL TIMES SO I DONT ENTER SOMETHING YOU DON'T LIKE.

      btw this is for sites where i couldnt give a crap whether they hack it or not. forums and stuff. especially the type of forum that makes you register to see stuff. screw it they can eat my crap password and use it to write rubbish on all sites with their own crap login systems I don't care. you make me sign up for an account to post questions about your crap products instead of using OAuth or google login or whatever you deserve what you get.

      anyway - password managers. lots of them out there, how do you know any of them do security properly? read reviews? how do i know the reviewer knows what he is talking about? I'd love a secure password manager that works across *all* platforms. But you're asking me to trust the opinion of randoms on the internet as to whether its any more secure than just stuffing it into a text file and opening up a share on my computer

    4. Re:Reusing passwords by Anonymous Coward · · Score: 0

      Do you trust Bruce Schneier with regard to information security concerns?

      Some folks have put together ports for OS X as well. It's all open source; feel free to read the code for yourself and discuss it with others. Optimally, contribute to public discussion of this and other cryptographic tools so they can be more widely popularized and scrutinized. Hope this helps. -PCP

    5. Re:Reusing passwords by Anonymous Coward · · Score: 0

      tbh: never heard of him. perhaps in the last xx years on here he's been mentioned but I don't recognise the name.and you're an ac posting the link.

      even if he is real, is that his real website? are the claims on there real? there are links, how do i know they are real? and when it comes to the ports he says he can't verify them anyway...

      are you a scammer making me install stuff? or a member of the FBI? how many hours do i need to investigate this to make sure I know its the right person, let alone if he is really qualified to talk about what he talks about?

      see the mess we are in?

      when it comes to installing something that looks after ALL my passwords, these are questions I want answered. (but thanks for your contribution anyway)

    6. Re:Reusing passwords by Anonymous Coward · · Score: 0

      I probably know better than most the mess we're in. I've spent the better part of the last 20 years up to my eyeballs in systems ranging from foreign consular networks, to the innards of various interesting things with blinky lights on nuclear submarines, to the core operations of a couple of dozen Fortune 500 firms. It's all a mess, much more than it used to be, in fact. The first thing you need to realize is this: you shouldn't "just trust" me. You probably also shouldn't trust most of your coworkers/colleagues. If you really want to get down to brass tacks, you also probably shouldn't trust some of your own family members with anything truly sensitive.

      It's on you to protect what you value, which means it's on you to educate yourself in the means to do so. There is no magic bullet, but you might start with learning about some of the fundamentals of cryptography. You might also do a bit of research into the backgrounds of folk like Bruce Schneier; you'll find he's rather well published. Heck, you might even strike up some correspondence with him and others like him. It's really all up to you, but don't expect a free ride in any of this. Good luck. -PCP

  9. Shame them! by Anonymous Coward · · Score: 0

    ... the cloud storage company found some account details linked to an old data breach.

    I am a victim of a hack of Anthem because they were incompetent and stupid.

    So is Dropbox, the IRS, and every other company or government agency that has lost data. There is no excuse.

  10. and they don't have any stupid complexity requirem by davide+marney · · Score: 3, Interesting

    So I was able to create my very long, secure, easy to remember password. Yay.

    --
    "We receive as friendly that which agrees with, we resist with dislike that which opposes us" - Faraday
  11. Natalie Protman's Ghost by Anonymous Coward · · Score: 0

    but accidentally knocked a bowl of piping hot grits down the front of my pants

    Look out. Natalie Portman's ghost is right behind you!

  12. Re:and they don't have any stupid complexity requi by Anonymous Coward · · Score: 0

    Seems they are using this instead: https://github.com/dropbox/zxcvbn

  13. Glad I Cut Off DropBox After ... by Anonymous Coward · · Score: 0

    Only used it briefly because a U.S. Gov. Agency Contractor .... Well. I killed it after the "need" which to me seemed to be no need at all!

    Ha

  14. Re:and they don't have any stupid complexity requi by The+Raven · · Score: 1

    In fact, Dropbox wrote and open-sourced a very nice password complexity tool, specifically encouraging smarter password complexity. No banned characters, no stupid requirements, just a relatively intelligent entropy estimator.

    --
    "I will trust Google to 'do no evil' until the founders no longer run it." Hello Alphabet.