2016: Dropbox force-resets passwords as the 2012 breach finally surfaces
August 2016
Four years after the 2012 breach, the stolen credentials surfaced in the wild, forcing Dropbox to reset the passwords of all users who had not changed them since mid-2012.
What happened
In August 2016, the database of credentials stolen in Dropbox's 2012 breach — covering roughly 68 million accounts — began circulating publicly. In response, Dropbox proactively reset the passwords of every user who had signed up before mid-2012 and had not changed their password since, and required them to choose a new one on next sign-in.
Dropbox framed the reset as a precaution rather than evidence of a new compromise, and noted the stored passwords were hashed (the older portion with SHA-1 plus a salt, the rest with bcrypt). But the episode laid bare how long the consequences of a breach linger: the 2012 incident had been publicly described at the time as little more than spam exposure, and only in 2016 did the true scale — tens of millions of credentials — become undeniable, four years after the fact.
For users, the practical effect was a forced interruption and a reminder that a breach is not 'over' when it is disclosed; stolen credentials can resurface years later and drive fresh account-takeover risk, especially where people reused the same password elsewhere.
Impact
The reset is the clearest illustration of breach 'long tail': the 2012 incident's real scope stayed hidden for four years, and its fallout — credential-stuffing risk and a mass forced reset — arrived in 2016. It validated critics who had argued Dropbox underplayed the original breach, and it reinforced why disclosure timeliness and scope honesty matter.