A database containing login information for nearly 7 million users of the private cloud storage provider Dropbox has been accessed by hackers, according to a partial dump posted on Pastebin earlier this evening (via The Next Web). However, Dropbox has issued a statement denying that this breach occurred on its end, saying that Dropbox itself was not attacked, but rather a third-party service that had stored user credentials:
Dropbox has not been hacked. These usernames and passwords were unfortunately stolen from other services and used in attempts to log in to Dropbox accounts. We’d previously detected these attacks and the vast majority of the passwords posted have been expired for some time now. All other remaining passwords have been expired as well.
Update: Dropbox has also published a blog post addressing the incident.
Dropbox has taken steps to ensure that the leaked data is no longer valid by disabling any passwords that were leaked in the breach (and apparently many others just in case). The perpetrators have not yet posted a full dump of the database, opting to post only a few “teasers” from a section of the database containing email addresses starting with the letter “B.” These individuals are soliciting Bitcoin donations and say they will post more as more donations come in.
If you haven’t already, you should login to Dropbox and change your password. It would also be wise to look for any unauthorized apps or login sessions on the site’s security settings page and revoke access to those you don’t recognize since any apps that have logged into your account, including the official iPhone and Mac applications, will not be automatically logged out when you change your password.
Enabling two-factor login is highly recommended on all services that support it, and Dropbox is no exception. You can add that security feature to your account from the security settings page as well. If you used your Dropbox password on any other services, you should change those immediately.
FTC: We use income earning auto affiliate links. More.
2FA all the way, turned it on some time ago when I realized they enabled it.
I’m going to call BS on the passwords being expired. Plenty of people have been successfully posting that they are able to login to Dropbox with the posted credentials.
passwords aren’t expired at all. Dropbox is just claiming in the post they detect suspicious activity and block accounts with them. Worst blog post I’ve ever seen. Doesn’t address the fact that changing your password will continue to allow 3rd party services to access all your data even when your password is reset. WEAK.
Use SpiderOak instead of Dropbox. Fully encrypted.
Great timing with iCloud Drive then. Bye bye Dropbox
I think DB is garbage but this isn’t their problem, per se. It is more a problem with how some people failed to protect their passwords by sharing them with others all over the Internet.