A thread on Reddit late Monday linked to a cache of Dropbox usernames and corresponding passwords allegedly gleaned from a Dropbox breach, but the company maintains its servers were not infiltrated and instead placed blame on an unnamed third-party service.
Along with the approximately 400 usernames and passwords posted to Pastebin in plain text, hackers claimed to be in possession of access data for up to 7 million accounts taken directly from Dropbox servers, reports The Next Web.
In a statement issued on its official blog shortly after the leak, Dropbox denied the breach, saying user credentials were scraped from unrelated services and tested on numerous websites for compatibility.
Recent news articles claiming that Dropbox was hacked aren't true. Your stuff is safe. The usernames and passwords referenced in these articles were stolen from unrelated services, not Dropbox. Attackers then used these stolen credentials to try to log in to sites across the internet, including Dropbox. We have measures in place to detect suspicious login activity and we automatically reset passwords when it happens.
Attacks like these are one of the reasons why we strongly encourage users not to reuse passwords across services. For an added layer of security, we always recommend enabling 2 step verification on your account.
Dropbox told the publication that it had previously detected the attacks, noting all passwords in the list are no longer in service, with a "vast majority" having been expired "for some time now."
For those who have not yet enabled two-step verification, Dropbox provides instructions on activating the security protocol built in to users' security settings. By turning on two-factor authentication, an account can only be accessed after entering in a six-digit time-sensitive code generated by specialized apps like Google Authenticator. Alternatively, the system can send out codes to a trusted device via text message.
56 Comments
Here is what 1Password has to say about it for those that still store your 1PDB in Dropbox. [LIST] [*] http://blog.agilebits.com/2014/01/12/dropbox-breach-hoax-1password-security-master-password/ [/LIST]
By my count that is the fourth time, in what, 2 years?
[quote name="PhilBoogie" url="/t/182791/hundreds-of-dropbox-credentials-leaked-online-company-denies-breach#post_2618771"]By my count that is the fourth time, in what, 2 years?[/quote] This isn't a Dropbox breach so it shouldn't be added. That said, I really wish Dropbox would catch up to Google and Apple with the ability to create app/platform specific passwords that will only allow itself to be used in one place, never to access their website directly, as well allow the user to specify which folder(s) can be accessed with that password to help further isolate any potential data breaches.
[quote name="SolipsismX" url="/t/182791/hundreds-of-dropbox-credentials-leaked-online-company-denies-breach#post_2618773"] This isn't a Dropbox breach so it shouldn't be added. That said, I really wish Dropbox would catch up to Google and Apple with the ability to create app/platform specific passwords that will only allow itself to be used in one place, never to access their website directly, as well allow the user to specify which folder(s) can be accessed with that password to help further isolate any potential data breaches.[/quote] While that's a valid point that is isn't their fault, to the end user it is, again, 'bad dropbox news; now I need to change my password again' situation. And simply changing your password doesn't automatically log you out on any device or browser that was already logged in. No, many things need to change at their end, your mention app/platform specific passwords being another one.
[quote name="PhilBoogie" url="/t/182791/hundreds-of-dropbox-credentials-leaked-online-company-denies-breach#post_2618777"]And simply changing your password doesn't automatically log you out on any device or browser that was already logged in.[/quote] You can see which browsers and IP addresses have logged into Dropbox, as well Unlink any devices, but I don't think a password change is in order with this alleged breach.