Here’s Why Dropbox Is Urging Users to Reset Their Passwords

August 26, 2016, 10:51 AM UTC
Key Speakers At The Brooklyn Beta Conference
Dropbox Inc. signage is displayed at the Brooklyn Beta conference in the Brooklyn borough of New York, U.S., on Friday, Oct. 12, 2012. Brooklyn Beta is a small web conference aimed at gathering web designers, developers, and entrepreneurs together to discuss meaningful problems in the industry. Photographer: Mark Ovaska/Bloomberg via Getty Images
Photograph by Mark Ovaska — Bloomberg via Getty Images

Dropbox has emailed many of its users, urging them to reset their passwords.

The popular cloud storage said the move was related to the theft of an old set of Dropbox credentials, dating back to 2012.

So the users the company has contacted are those who created Dropbox accounts before mid-2012 and have not updated their passwords since that time.

Get Data Sheet, Fortune’s technology newsletter.

Dropbox disclosed in July 2012 that some users were getting spammed, and the cause appeared to be the theft of usernames and passwords from other websites.

As is often the case, some people reuse their usernames and passwords across different web services. (If it still needs saying, you really shouldn’t reuse your passwords, ever.)

What happened in 2012 is that some Dropbox users fell victim to account break-ins because of password reuse. A stolen password also helped someone steal an email list from an employee Dropbox account—hence the spam.

Now Dropbox says it has “learned” about an old set of credentials that were “obtained in 2012.” It reckons this set, which is presumably doing the rounds on the virtual underground, is connected with the same incident.

For more on passwords, watch our video.

“Based on our threat monitoring and the way we secure passwords, we don’t believe that any accounts have been improperly accessed,” the company said. “Still, as one of many precautions, we’re requiring anyone who hasn’t changed their password since mid-2012 to update it the next time they sign in.”

Those worried about the security of their Dropbox accounts should really also set up two-factor authentication while they’re at it. This means anyone logging into Dropbox on a new device will need to enter a code that only the account-holder should be able to see.

Dropbox allows people to use codes generated by authenticator apps or special keys, not just SMS—text messages have been shown to be a relatively insecure two-factor authentication tool.