Dropbox claims they haven’t been hacked but, they’ve had up to 7 million usernames and passwords stolen. The hacker first leaked 400 of these on PasteBin site and requested BitCoin donations before releasing more on the site. Since then the hacker has been posting it in small batches.
With Dropbox adamant they were not hacked it is still unclear how the hacker obtained the usernames and passwords but, they did issue this statement:-
‘Dropbox has not been hacked. These usernames and passwords were unfortunately stolen from other services and used in attempts to log in to Dropbox accounts. We’d previously detected these attacks and the vast majority of the passwords posted have been expired for some time now. All other remaining passwords have expired as well.’
They could not provide the number of accounts that expired recently and some Reddit users have said the login details work, which means potentially the 7 million accounts are still vulnerable. The files-sharing site is also unclear which other third party service(s) is the source of the breach. If a third party site was breached it could suggest web users are reusing the same login credentials across multiple sites including Dropbox.
It is becoming a common trend where third party sites are being targeted to gain access to other organisations. For example it recently happened to Snapchat where hackers hacked the servers of a third-party app designed to save Snapchat photos and obtained over 100,000 photos from the servers.
The security risk is high therefore it’s recommended to change your Dropbox account password immediately or even turn on the 2-factor authentication on the account. If you are using it for business purposes we also recommend the removal of any company or confidential data from the Dropbox web drive as soon as possible because it is not clear yet whether the 7 million user details are valid accounts.
But, as a precaution you should also re-evaluate your usernames and passwords for other web services accounts – if there are all the same, it’s best to change them and vary them to help lower the risk.
If you have any doubts on the security of your data or network please contact us to discuss on 0845 603 5552 or email firstname.lastname@example.org