Home Dropbox Denies 7M Password Leak, Says Stolen Logins Are From Other Sites

Dropbox Denies 7M Password Leak, Says Stolen Logins Are From Other Sites

On Monday, a Reddit thread surfaced with links to Pastebin files containing a slew of Dropbox logins. And, said the hacker, there’s plenty more where that came from—roughly 7 million compromised accounts in total. 

The initial leaks came to hundreds of unencrypted Dropbox usernames and passwords, all available in plain text. The anonymous perpetrator claimed this was just a taste of the voluminous hack and promised to leak more in exchange for bitcoin “donations.” The top of one of the Pastebin files reads:  




As more BTC is donated , More pastebin pastes will appear

At this time, the source of the data is unknown. 

See also: Heartbleed Defense: The 3-Step Password Strategy Everyone Should Use

Although 7 million accounts only comes to about 3% of the 220 million that Dropbox services, that’s no consolation for the folks whose logins have been compromised. 

Just after contending with a Selective Sync glitch that errantly deleted user files, Dropbox finds itself at the center of another data integrity issue. But this time, the company says, it’s not to blame. In a statement to The Next Web, the cloud storage provider flat-out denied that it was hacked. Instead, it pointed the finger at third-party services:

Dropbox has not been hacked. These usernames and passwords were unfortunately stolen from other services and used in attempts to log in to Dropbox accounts. We’d previously detected these attacks and the vast majority of the passwords posted have been expired for some time now. All other remaining passwords have been expired as well.

The Reddit community set about checking if the logins were legitimate, and some members claimed that, while several were expired, some others still appeared to be valid as of late Monday night. 

How To Safeguard Yourself

Some Dropbox users may notice a prompt or message from the company, urging them to change their passwords or turn on two-factor authentication, a secondary measure that requires entering a six-digit security code in addition to login credentials. 

But whether you see the warning or not, you would still be wise to take action. It’s better to be safe than sorry. 

Log into your Dropbox account and change your password. (For tips on choosing good ones, click here.) On the same page, you can switch on two-step verification. For more information about this extra step, check out Dropbox’s description here

Once you’ve secured your Dropbox account, take one more step and think about anywhere else you may have used the same username and password combo. You’ll want to change those too—and then vow never to use the same credentials in multiple places again. Once logins are out in the open, other parties can try them at various sites, from Facebook and Gmail to the major online banking sites. Automated bots would make very easy work of this. 

As for this breach, ReadWrite has contacted Dropbox for more information, and will update this post if the company responds. 

Update: Dropbox posted a message on its blog stating that the logins were “stolen from unrelated services.” Unlike Snapchat, whose data breach stemmed from other services using its APIs to connect with it, Dropbox chalks this one up to a much more mundane reason: people using the same password on different services. 

The company says the attackers just kept trying the logins at various sites, including its own: 

Recent news articles claiming that Dropbox was hacked aren’t true. Your stuff is safe. The usernames and passwords referenced in these articles were stolen from unrelated services, not Dropbox. Attackers then used these stolen credentials to try to log in to sites across the internet, including Dropbox. We have measures in place to detect suspicious login activity and we automatically reset passwords when it happens.

Attacks like these are one of the reasons why we strongly encourage users not to reuse passwords across services. For an added layer of security, we always recommend enabling 2 step verification on your account.

Update: 10/14/2014 12:30am PT

A subsequent list of usernames and passwords has been posted online. We’ve checked and these are not associated with Dropbox accounts.

About ReadWrite’s Editorial Process

The ReadWrite Editorial policy involves closely monitoring the tech industry for major developments, new product launches, AI breakthroughs, video game releases and other newsworthy events. Editors assign relevant stories to staff writers or freelance contributors with expertise in each particular topic area. Before publication, articles go through a rigorous round of editing for accuracy, clarity, and to ensure adherence to ReadWrite's style guidelines.

Get the biggest tech headlines of the day delivered to your inbox

    By signing up, you agree to our Terms and Privacy Policy. Unsubscribe anytime.

    Tech News

    Explore the latest in tech with our Tech News. We cut through the noise for concise, relevant updates, keeping you informed about the rapidly evolving tech landscape with curated content that separates signal from noise.

    In-Depth Tech Stories

    Explore tech impact in In-Depth Stories. Narrative data journalism offers comprehensive analyses, revealing stories behind data. Understand industry trends for a deeper perspective on tech's intricate relationships with society.

    Expert Reviews

    Empower decisions with Expert Reviews, merging industry expertise and insightful analysis. Delve into tech intricacies, get the best deals, and stay ahead with our trustworthy guide to navigating the ever-changing tech market.