it might be them trying to phase out older password storage formats not that they couldn't do that without forcing a change Yeah that makes sense. Assuming it was stored hashed in the first place, they may still want to improve it, eg. using a higher number of PBKDF2 cycles than had been initially used. Good thinking. facebook is down :) Yay! Huh. I just got the same email as nathani It links to https://www.dropbox.com/help/9257?oref=e Embarrassingly, it's right. I set that password on Sep 11, 2012 according to my password manager. Bryce should know better... But hey, at least U2F. "we learned about an old set of Dropbox user credentials (email addresses plus hashed and salted passwords) that we believe were obtained in 2012. " Well this was fun to sit back and watch https://blog.lastpass.com/2014/12/introducing-auto-password-changing-with.html/ wtf... it just set it to one of my other passwords. The most important takeaway and useful in general and hence the need for password managers in the first place: "However, if you’ve reused your password on other sites, you should update those passwords." ie: Dont re-use passwords