Skip to main content

Hackers claim to have a database of nearly 7 million Dropbox credentials, service denies it was breached


A database containing login information for nearly 7 million users of the private cloud storage provider Dropbox has been accessed by hackers, according to a partial dump posted on Pastebin earlier this evening (via The Next Web). However, Dropbox has issued a statement denying that this breach occurred on its end, saying that Dropbox itself was not attacked, but rather a third-party service that had stored user credentials:

Dropbox has not been hacked. These usernames and passwords were unfortunately stolen from other services and used in attempts to log in to Dropbox accounts. We’d previously detected these attacks and the vast majority of the passwords posted have been expired for some time now. All other remaining passwords have been expired as well.

Update: Dropbox has also published a blog post addressing the incident.

Dropbox has taken steps to ensure that the leaked data is no longer valid by disabling any passwords that were leaked in the breach (and apparently many others just in case). The perpetrators have not yet posted a full dump of the database, opting to post only a few “teasers” from a section of the database containing email addresses starting with the letter “B.” These individuals are soliciting Bitcoin donations and say they will post more as more donations come in.

If you haven’t already, you should login to Dropbox and change your password. It would also be wise to look for any unauthorized apps or login sessions on the site’s security settings page and revoke access to those you don’t recognize since any apps that have logged into your account, including the official iPhone and Mac applications, will not be automatically logged out when you change your password.

Enabling two-factor login is highly recommended on all services that support it, and Dropbox is no exception. You can add that security feature to your account from the security settings page as well. If you used your Dropbox password on any other services, you should change those immediately.

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel


  1. Kemar W (@toohotz) - 8 years ago

    2FA all the way, turned it on some time ago when I realized they enabled it.

  2. Bon Dole - 8 years ago

    I’m going to call BS on the passwords being expired. Plenty of people have been successfully posting that they are able to login to Dropbox with the posted credentials.

    • Court Kizer - 8 years ago

      passwords aren’t expired at all. Dropbox is just claiming in the post they detect suspicious activity and block accounts with them. Worst blog post I’ve ever seen. Doesn’t address the fact that changing your password will continue to allow 3rd party services to access all your data even when your password is reset. WEAK.

  3. emanon416 - 8 years ago

    Use SpiderOak instead of Dropbox. Fully encrypted.

  4. willo (@mozfart) - 8 years ago

    Great timing with iCloud Drive then. Bye bye Dropbox

    • standardpull - 8 years ago

      I think DB is garbage but this isn’t their problem, per se. It is more a problem with how some people failed to protect their passwords by sharing them with others all over the Internet.