Breaking: Dropbox user accounts appear to have been compromised, with hackers proclaiming that up to “seven million” user passwords are now available.
Hackers posted the accounts with plain text passwords onto Pastebin.com, in what appear to be working logins according to a significant number of social media reports, and Reddit users confirming working logins.
Dropbox has been notified of the hack, with indications that the company is attempting to reset all passwords to prevent access from the Pastebin list of accounts.
The Pastebin message at the top of one of the leaks is as follows:
Here is another batch of Hacked Dropbox accounts from the massive hack of 7,000,000 accounts
To see plenty more, just search on pastebin for the term Dropbox hack. More to come, keep showing your support
Another message indicates precisely 6,937,081 accounts have been hacked, and calls for Bitcoin donations to this address to secure more leaks. As of publication, only 0.0001BTCs had been deposited, approximately five cents in Australian dollars.
Sample passwords appear to be basic words and numbers, such as ‘junior33’ or ‘pa55word’ with not long complicated strings showing, which may indicate a brute-force attack.
Change your password
We strongly advise you change your Dropbox passwords and set up two-factor authentication as soon as possible. Two-factor will require a separate mobile phone to receive a one-time unique six-digit PIN. Best practice is also to change any passwords that you use on other sites as well as Dropbox, which is a reality for many people unaware of security risks this poses.
Normal procedure for companies that handle secure login information is to ‘hash’ passwords, so that they’re encrypted and unable to be linked to logins. For whatever reason, that doesn’t appear to be the case and hackers have released plaintext logins, which are email addresses, with actual passwords.
That may indicate that Dropbox itself has not been hacked, but third-party extensions or plugins that use Dropbox have been compromised – which may significantly reduce the number of accounts actually compromised.
More to come.
Update: It appears that Dropbox has reset user passwords, with a notice for users with account details on Pastebin that their passwords have expired.
Further update: Dropbox has said in a statement to Techly via a spokesperson that it is not to blame for the leaked passwords, and these were stolen from other services not controlled by the company:
Dropbox has not been hacked. These usernames and passwords were unfortunately stolen from other services and used in attempts to log in to Dropbox accounts. We’d previously detected these attacks and the vast majority of the passwords posted have been expired for some time now. All other remaining passwords have been expired as well.
Dropbox has further indicated it doesn’t know, at this stage, which ‘other service’ might have been at fault:
It’s unclear – it could have been any service across the web where their username/password was vulnerable.
Final word from Dropbox, who have released this statement via their blog:
Recent news articles claiming that Dropbox was hacked aren’t true. Your stuff is safe. The usernames and passwords referenced in these articles were stolen from unrelated services, not Dropbox. Attackers then used these stolen credentials to try to log in to sites across the internet, including Dropbox. We’ve put in place measures to detect suspicious login activity and we automatically reset passwords when it happens.
Attacks like these are one of the reasons why we strongly encourage users not to reuse passwords across services. For an added layer of security, we always recommend enabling 2 step verification on your account.
Update 3: Several hundred more accounts have been leaked in the last hour or so – the final total is in excess of several thousand.