A database containing login information for nearly 7 million users of the private cloud storage provider Dropbox has been accessed by hackers, according to a partial dump posted on Pastebin earlier this evening (via The Next Web). However, Dropbox has issued a statement denying that this breach occurred on its end, saying that Dropbox itself was not attacked, but rather a third-party service that had stored user credentials:
Dropbox has not been hacked. These usernames and passwords were unfortunately stolen from other services and used in attempts to log in to Dropbox accounts. We’d previously detected these attacks and the vast majority of the passwords posted have been expired for some time now. All other remaining passwords have been expired as well.
Update: Dropbox has also published a blog post addressing the incident.
Dropbox has taken steps to ensure that the leaked data is no longer valid by disabling any passwords that were leaked in the breach (and apparently many others just in case). The perpetrators have not yet posted a full dump of the database, opting to post only a few “teasers” from a section of the database containing email addresses starting with the letter “B.” These individuals are soliciting Bitcoin donations and say they will post more as more donations come in.
If you haven’t already, you should login to Dropbox and change your password. It would also be wise to look for any unauthorized apps or login sessions on the site’s security settings page and revoke access to those you don’t recognize since any apps that have logged into your account, including the official iPhone and Mac applications, will not be automatically logged out when you change your password.
Enabling two-factor login is highly recommended on all services that support it, and Dropbox is no exception. You can add that security feature to your account from the security settings page as well. If you used your Dropbox password on any other services, you should change those immediately.