Nearly 7 million Dropbox user accounts have been hacked & exposed. An unknown hacker group takes the responsibility and claims to have more then 6,937,081 Dropbox user account credentials.
The Next Web noticed the leak on a website Pastebin, where the hackers have leaked about 400 accounts credentials. The notorious hackers promise to release even more accounts in return they want Bitcoin donations.
The leak actually surfaced on the Reddit thread, where some Reddit users have tested some of the leaked credentials and confirmed that many of them still work. Based on the the Reddit users comments, Dropbox seems to bulk reset all the user accounts listed in the Pastebin post.
Dropbox denied the hack
Same as like Snapchat did recently, Dropbox also blamed third party services for the breach stressing that its own security has not been compromised.
Dropbox’s Anton Mityagin writes in blog post :
Recent news post claiming that Dropbox was hacked are false. Your stuff is completely safe. The credentials referenced in these articles were stolen from third party services, not Dropbox. Cyber criminals then used these stolen credentials to try to log in to websites across the internet, including Dropbox. We have already taken measures in place to detect suspicious login activity and we will automatically reset passwords when it happens.
Dropbox Users Are Adviced to Change the Passwords
Attacks like these are the one of the reasons why we strongly encourage our users not to reuse passwords across services. For an added layer of security, it is recommend enable 2 step verification on your account.
Dropbox also issued a statement saying that “it had not been hacked. These credentials were unfortunately stolen from third party services and used in attempts to log in to Dropbox user accounts.”
“We had previously detected these attacks and the vast majority of the passwords posted on the list have been expired. All other remaining passwords have expired as well.”
It is still unclear that exactly which other websites is the source of the big security breach. But Dropbox’s statement confirms the initially posted credentials are genuine account logins for its service.
Recently in a interview wistleblower Edward Snowden suggested that people should find & use encrypted tools and stop using services that are hostile to privacy. Like Dropbox? Get rid of services like Dropbox, it doesn’t supports encryption. to which Dropbox replied that “protecting the users information is always their top priority. All data & files sent and retrieved from Dropbox servers are encrypted while travelling between you and our servers, as well as when they are at rest on our servers”.
Security Tip from HackingPost :
We suggest our readers to enable 2 step verification on your account & keep changing your passwords regularly.