Late last night, an anonymous Pastebin user claimed to have compromised almost seven million Dropbox account credentials, including emails and passwords. The user posted the first 400 direct to Pastebin and then proceeded to ask for Bitcoin donations before leaking more.
The original leak has been followed up on, with the leaker continuing to post hundreds of user’s account credentials. However, the passwords and emails that have been posted so far don’t appear to be genuine according to Dropbox, which also stressed that these leaks were the result of a third-party rather than an attack on its own servers.
In a company blog post, titled “Dropbox wasn’t hacked”, Anton Mityagin said: “Recent news articles claiming that Dropbox was hacked aren’t true. Your stuff is safe. The usernames and passwords referenced in these articles were stolen from unrelated services, not Dropbox. Attackers then used these stolen credentials to try to log in to sites across the internet, including Dropbox. We have measures in place to detect suspicious login activity and we automatically reset passwords when it happens.”
The post then goes on to encourage users to enable two-factor authentication for better account protection against unauthorized access. Additionally, the company denies that the user information that has been leaked so far is associated with any Dropbox accounts.
Discuss on our Facebook page, HERE.
KitGuru Says: Two-factor authentication is something everyone should use on cloud services like Dropbox. It doesn’t look like Dropbox has been hacked but it is likely that whoever obtained the leaked credentials has led a successful phishing scam and is now hoping that the same user information has been used across multiple websites.