Here’s Why Dropbox Is Urging Users to Reset Their Passwords by David Meyer @FortuneMagazine August 26, 2016, 6:06 AM EDT E-mail Tweet Facebook Linkedin Share icons Dropbox has emailed many of its users, urging them to reset their passwords. The popular cloud storage said the move was related to the theft of an old set of Dropbox credentials, dating back to 2012. So the users the company has contacted are those who created Dropbox accounts before mid-2012 and have not updated their passwords since that time. Get Data Sheet, Fortune’s technology newsletter. Dropbox disclosed in July 2012 that some users were getting spammed, and the cause appeared to be the theft of usernames and passwords from other websites. As is often the case, some people reuse their usernames and passwords across different web services. (If it still needs saying, you really shouldn’t reuse your passwords, ever.) What happened in 2012 is that some Dropbox users fell victim to account break-ins because of password reuse. A stolen password also helped someone steal an email list from an employee Dropbox account—hence the spam. Now Dropbox says it has “learned” about an old set of credentials that were “obtained in 2012.” It reckons this set, which is presumably doing the rounds on the virtual underground, is connected with the same incident. For more on passwords, watch our video. “Based on our threat monitoring and the way we secure passwords, we don’t believe that any accounts have been improperly accessed,” the company said. “Still, as one of many precautions, we’re requiring anyone who hasn’t changed their password since mid-2012 to update it the next time they sign in.” Those worried about the security of their Dropbox accounts should really also set up two-factor authentication while they’re at it. This means anyone logging into Dropbox on a new device will need to enter a code that only the account-holder should be able to see. Dropbox allows people to use codes generated by authenticator apps or special keys, not just SMS—text messages have been shown to be a relatively insecure two-factor authentication tool.