Dropbox dismisses claims of hack affecting 7 million accounts

The credentials leaked by an alleged hacker online were likely stolen from other services, the company said

Hackers claim to have stolen a database of almost 7 million Dropbox log-in credentials, but the company says its service was not hacked and that unrelated websites are the data source.

The first data dump appeared Monday in an anonymous post on Pastebin.com and contained 400 username and password pairs. The author said that it's only the "first teaser" of 6,937,081 hacked Dropbox accounts and asked for community support in the form of Bitcoin donations. The user also claimed to have access to photos, videos and other files from the compromised accounts.

"As more BTC [Bitcoin currency] is donated, more pastebin pastes will appear," the post says.

At least five additional "teaser" posts appeared Monday and Tuesday on Pastebin, containing between 100 and 900 credentials each.

"Recent news articles claiming that Dropbox was hacked aren't true," Anton Mityagin, a Dropbox security engineer said Monday in a blog post. "Your stuff is safe."

According to Mityagin, the usernames and passwords posted were likely stolen from other services, but since the reuse of credentials for different online accounts is common among users, attackers tried to use them on different sites, including Dropbox.

"We have measures in place to detect suspicious login activity and we automatically reset passwords when it happens," he said.

In an update Tuesday to the blog post, Mityagin added that credentials on a new list that was leaked were checked and are not associated with Dropbox accounts.

The incident is somewhat similar to the dumping of 5 million Gmail addresses and passwords online in September. Many initially assumed those credentials were for Google accounts, but it turned out that they likely originated from other services where people used their Gmail addresses as usernames. Google concluded that less than 2 percent of the leaked credentials might have worked to log into Google accounts.

Mityagin encouraged Dropbox users not to reuse passwords across different services and to enable two-step verification for their Dropbox accounts.

"This was either a novel attempt at scaring people into setting up two factor authentication on accounts which allowed it, or a quick and dirty grab for Bitcoins," said Chris Boyd, a malware intelligence analyst at security firm Malwarebytes, via email. "Given Dropbox's claim there's been no compromise and all of the 'sample' accounts were already expired, it's looking more like the latter."

"Anyone can post extravagant claims to Pastebin and while there's no harm in changing a password once word of a potential breach gets out, we shouldn't panic and wait until more concrete information comes to light," Boyd said.

Using separate passwords for different online accounts might sound inconvenient, but it's easy to do with a password management application, as long as it's used securely.

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags online safetydropboxGooglesecuritydata breachAccess control and authenticationMalwarebytesprivacy

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Essentials

Microsoft L5V-00027 Sculpt Ergonomic Keyboard Desktop

Learn more >

Lexar® JumpDrive® S57 USB 3.0 flash drive

Learn more >

Mobile

Lexar® JumpDrive® S45 USB 3.0 flash drive 

Learn more >

Exec

Audio-Technica ATH-ANC70 Noise Cancelling Headphones

Learn more >

Lexar® JumpDrive® C20c USB Type-C flash drive 

Learn more >

HD Pan/Tilt Wi-Fi Camera with Night Vision NC450

Learn more >

Lexar® Professional 1800x microSDHC™/microSDXC™ UHS-II cards 

Learn more >

Budget

Back To Business Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?