On Monday, a Reddit thread surfaced with links to Pastebin files containing a slew of Dropbox logins. And, said the hacker, there’s plenty more where that came from—roughly 7 million compromised accounts in total.
The initial leaks came to hundreds of unencrypted Dropbox usernames and passwords, all available in plain text. The anonymous perpetrator claimed this was just a taste of the voluminous hack and promised to leak more in exchange for bitcoin “donations.” The top of one of the Pastebin files reads:
6,937,081 DROPBOX ACCOUNTS HACKED
PHOTOS – VIDEOS – OTHER FILES
MORE BITCOIN = MORE ACCOUNTS PUBLISHED ON PASTEBIN
As more BTC is donated , More pastebin pastes will appear
At this time, the source of the data is unknown.
Although 7 million accounts only comes to about 3% of the 220 million that Dropbox services, that’s no consolation for the folks whose logins have been compromised.
Just after contending with a Selective Sync glitch that errantly deleted user files, Dropbox finds itself at the center of another data integrity issue. But this time, the company says, it’s not to blame. In a statement to The Next Web, the cloud storage provider flat-out denied that it was hacked. Instead, it pointed the finger at third-party services:
Dropbox has not been hacked. These usernames and passwords were unfortunately stolen from other services and used in attempts to log in to Dropbox accounts. We’d previously detected these attacks and the vast majority of the passwords posted have been expired for some time now. All other remaining passwords have been expired as well.
The Reddit community set about checking if the logins were legitimate, and some members claimed that, while several were expired, some others still appeared to be valid as of late Monday night.
How To Safeguard Yourself
Some Dropbox users may notice a prompt or message from the company, urging them to change their passwords or turn on two-factor authentication, a secondary measure that requires entering a six-digit security code in addition to login credentials.
But whether you see the warning or not, you would still be wise to take action. It’s better to be safe than sorry.
Log into your Dropbox account and change your password. (For tips on choosing good ones, click here.) On the same page, you can switch on two-step verification. For more information about this extra step, check out Dropbox’s description here.
Once you’ve secured your Dropbox account, take one more step and think about anywhere else you may have used the same username and password combo. You’ll want to change those too—and then vow never to use the same credentials in multiple places again. Once logins are out in the open, other parties can try them at various sites, from Facebook and Gmail to the major online banking sites. Automated bots would make very easy work of this.
As for this breach, ReadWrite has contacted Dropbox for more information, and will update this post if the company responds.
Update: Dropbox posted a message on its blog stating that the logins were “stolen from unrelated services.” Unlike Snapchat, whose data breach stemmed from other services using its APIs to connect with it, Dropbox chalks this one up to a much more mundane reason: people using the same password on different services.
The company says the attackers just kept trying the logins at various sites, including its own:
Recent news articles claiming that Dropbox was hacked aren’t true. Your stuff is safe. The usernames and passwords referenced in these articles were stolen from unrelated services, not Dropbox. Attackers then used these stolen credentials to try to log in to sites across the internet, including Dropbox. We have measures in place to detect suspicious login activity and we automatically reset passwords when it happens.
Attacks like these are one of the reasons why we strongly encourage users not to reuse passwords across services. For an added layer of security, we always recommend enabling 2 step verification on your account.
Update: 10/14/2014 12:30am PT
A subsequent list of usernames and passwords has been posted online. We’ve checked and these are not associated with Dropbox accounts.