Hundreds of Dropbox credentials reportedly leaked online, company denies breach
A thread on Reddit late Monday linked to a cache of Dropbox usernames and corresponding passwords allegedly gleaned from a Dropbox breach, but the company maintains its servers were not infiltrated and instead placed blame on an unnamed third-party service.
Along with the approximately 400 usernames and passwords posted to Pastebin in plain text, hackers claimed to be in possession of access data for up to 7 million accounts taken directly from Dropbox servers, reports The Next Web.
In a statement issued on its official blog shortly after the leak, Dropbox denied the breach, saying user credentials were scraped from unrelated services and tested on numerous websites for compatibility.
Recent news articles claiming that Dropbox was hacked aren't true. Your stuff is safe. The usernames and passwords referenced in these articles were stolen from unrelated services, not Dropbox. Attackers then used these stolen credentials to try to log in to sites across the internet, including Dropbox. We have measures in place to detect suspicious login activity and we automatically reset passwords when it happens.
Attacks like these are one of the reasons why we strongly encourage users not to reuse passwords across services. For an added layer of security, we always recommend enabling 2 step verification on your account.
Dropbox told the publication that it had previously detected the attacks, noting all passwords in the list are no longer in service, with a "vast majority" having been expired "for some time now."
For those who have not yet enabled two-step verification, Dropbox provides instructions on activating the security protocol built in to users' security settings. By turning on two-factor authentication, an account can only be accessed after entering in a six-digit time-sensitive code generated by specialized apps like Google Authenticator. Alternatively, the system can send out codes to a trusted device via text message.