Millions of Dropbox Passwords Leaked Online In Exchange for Bitcoin Donations
According to reports nearly 7 million of Dropbox accounts have been hacked with hackers having leaked some 400 accounts with credentials on Reddit. Posting links to files containing usernames and passwords, hackers have promised to release more accounts in return for Bitcoin donations. While it seemed to be a hacking attempt at Dropbox, the popular online file storage service has claimed that its servers haven't been attacked and the credentials have come through third-party services. Dropbox further clarifies that it resets passwords automatically when suspicious log-in attempts are detected. In any case, it would be wise to change your Dropbox passwords to keep your data secure.
Was Dropbox hacked?
The report of Dropbox hacked accounts came through The Next Web revealing that the details of a few hundreds of Dropbox accounts were leaked on Reddit as a teaser to a bigger leak:
In four Pastebin files linked to from the site, a few hundred username and password pairs were listed in plain text as “teases” for a full leak from an anonymous user, who asked for Bitcoin donations for continued leaks.
However, Dropbox has denied of any such hacking attempt clarifying that issue isn't about security breach at Dropbox but was actually through third party services. For the users who use same passwords for varied services, this news may be problematic as passwords were allegedly stolen from less secure third party services and were then used to access Dropbox accounts. In case something has happened to your account, Dropbox will send you a “Please change your password” message.
This is coherent with another recent hacking attempt where a hundred of thousands photos were leaked from Snapchat through third-party services. This is just another reminder for users who feel lazy at choosing passwords for all the different existences online. Please do not use same password on multiple sites and especially keep unique keys for file storage, mailing accounts, and banking services. Dropbox has also published the details of denying any hacking attempt at its servers in a blog post today:
Recent news articles claiming that Dropbox hacked aren’t true. Your stuff is safe. The usernames and passwords referenced in these articles were stolen from unrelated services, not Dropbox. Attackers then used these stolen credentials to try to log in to sites across the internet, including Dropbox. We have measures in place to detect suspicious login activity and we automatically reset passwords when it happens.
Attacks like these are one of the reasons why we strongly encourage users not to reuse passwords across services. For an added layer of security, we always recommend enabling 2 step verification on your account.
It is still recommended to change your passwords and enable two-step verification for your Dropbox accounts. Again, please keep dedicated passwords for services like Dropbox as it could affect your privacy and security.