The popular (if very insecure) online backup and file sharing service Dropbox has had almost 7 million (6,937,081) account credentials (logon names and passwords) compromised.
Initial reports suggested that Dropbox had been hacked, but it now seems they were stolen by a third party service. In a statement to The Next Web, Dropbox said,
‘Dropbox has not been hacked. These usernames and passwords were unfortunately stolen from other services and used in attempts to log in to Dropbox accounts. We’d previously detected these attacks and the vast majority of the passwords posted have been expired for some time now. All other remaining passwords have been expired as well.’
The leak came to light when four Pastebin files were posted on Reddit yesterday, which showed the details of hundreds of Dropbox users whose unernames’ started with the letter ‘b’. The poster promised to leak more account credentials in return for Bitcoin donations.
It is unclear how old these details are, and Dropbox says that it has reset the passwords of accounts where suspicious activity has been detected, but we strongly suggest that all Dropbox users change their passwords now, as a simple precaution.
Turning on two-step verification is also a very good idea, as is securely encrypting files stored on Dropbox using EncFS. Another very good option is to move away from Dropbox completely, and use a more secure alternative.
Update: 10/14/2014 12:30am PT (posted by Drobox):
A subsequent list of usernames and passwords has been posted online. We’ve checked and these are not associated with Dropbox accounts.
Update 17 October 2014: It now seems likely that the account details did not even belong to Dropbox accounts, although because many users reuse account usernames/passwords it is still a good idea for users to change their passwords.