Hundreds of account credentials for the Dropbox cloud storage service have been leaked, as a teaser for what the perpetrator claims is a database of almost seven million accounts.
A list of 400 username and password combinations for Dropbox was posted onto the Pastebin service by an anonymous user who requested Bitcoin donations to be sent to a specific address in order to release more. Dropbox, however, has indicated that it is not the source of the leak and that its own internal servers have not been compromised, placing the blame instead at the feet of unnamed third-party services which link to Dropbox accounts.
'Recent news articles claiming that Dropbox was hacked aren’t true. Your stuff is safe. The usernames and passwords referenced in these articles were stolen from unrelated services, not Dropbox,
' claimed Dropbox's Anton Mityagin in a blog post
on the matter. 'Attackers then used these stolen credentials to try to log in to sites across the internet, including Dropbox. We have measures in place to detect suspicious login activity and we automatically reset passwords when it happens.
'Attacks like these are one of the reasons why we strongly encourage users not to reuse passwords across services. For an added layer of security, we always recommend enabling 2 step verification on your account,
' Mityagin added, referring to the ability to lock a Dropbox account so that it requires a one-time password generated by a smartphone application in order to log in - making a username and password useless without the smartphone.
Following the receipt of Bitcoin donations, the attacker posted another list early this morning but Dropbox claims these - unlike the mostly-valid collection originally posted - are not associated with active Dropbox accounts, suggesting that the attacker's claim of having a database of 6,937,081 accounts is hyperbole.