A flurry of media reports claiming that Dropbox was hacked made the rounds yesterday—but reporters would appear to have gotten it wrong. Dropbox summed it up thusly: “Your stuff is safe.”
An unnamed hacker had posted online a file filled with user names and passwords, claiming to have lifted them from the cloud-based file-sharing site. In a Reddit thread, the culprit posted links to four Pastebin files containing hundreds of credentials. And he or she asked for Bitcoin donations in order to post more—which is suspicious in and of itself.
“Here is another batch of Hacked Dropbox accounts from the massive hack of 7,000,000 accounts. To see plenty more, just search on [redacted] for the term Dropbox hack. More to come, keep showing your support!”
Hackers often post and repost old lists of credentials in hopes of selling them—even though older passwords are likely to have been changed if the accounts were already hacked. But despite the scam-like aspect of the whole thing, no one verified or disproved the claims in this instance—until Dropbox itself looked into it.
“Recent news articles claiming that Dropbox was hacked aren’t true,” said Anton Mityagin, in a blog. “The usernames and passwords referenced in these articles were stolen from unrelated services, not Dropbox. Attackers then used these stolen credentials to try to log in to sites across the internet, including Dropbox.” He added, “Attacks like these are one of the reasons why we strongly encourage users not to reuse passwords across services.”
The free version of Dropbox is no stranger to security issues and is often held up as a “what not to do” example—the poster child for insecure consumer tools, which were never meant for business, being used to share sensitive corporate data. Mityagin took the opportunity to talk up Dropbox’s security bona fides:
“We have measures in place to detect suspicious login activity and we automatically reset passwords when it happens.” For an added layer of security, Dropbox also offers two-step verification.