Dropbox yesterday emailed users who have not changed their passwords since mid-2012 to inform them they will be prompted to do so the next time they log in.
The cloud storage firm called the action a "preventative measure" and said that there was no indication user accounts had been improperly accessed. Users who held passwords created after mid-2012 were not affected, said the company.
In a blog post explaining what prompted the step, Dropbox said it had learned about an old set of user credentials (email addresses plus hashed and salted passwords) that were stolen in an incident the company reported in 2012.
Based on our threat monitoring and the way we secure passwords, we don't believe that any accounts have been improperly accessed. Still, as one of many precautions, we're requiring anyone who hasn't changed their password since mid-2012 to update it the next time they sign in.
The incident is likely related to the huge LinkedIn hack which saw 117 million account credentials posted online. It's thought that hackers tried the login details on other websites under the assumption that some people use the same passwords across different online services.
Dropbox has taken the opportunity to urge its users to consider enabling two-factor authentication when signing in, and has warned about the risk of re-using the same password across multiple sites.