Hundreds of Dropbox logins leak, but storage service says they came from elsewhere

2 Comments

Dropbox has denied reports that it was hacked, after scores of purported logins and passwords were leaked online.

The information appeared in a few Pastebin posts of about 100 credentials per post, linked to by someone wanting bitcoins to leak more. Reddit users confirmed that some of the login details worked, but Dropbox used a blog post to argue that it wasn’t the source of those credentials, many of which won’t work anyway:

Recent news articles claiming that Dropbox was hacked aren’t true. Your stuff is safe. The usernames and passwords referenced in these articles were stolen from unrelated services, not Dropbox. Attackers then used these stolen credentials to try to log in to sites across the internet, including Dropbox. We have measures in place to detect suspicious login activity and we automatically reset passwords when it happens.

The service told Ars Technica that it had “previously detected these attacks and the vast majority of the passwords posted have been expired for some time now.”

In its post, Dropbox reminded users to avoid using the same password across different accounts, and to turn on two-step authentication so that a handset-derived, one-time code is also needed to log in. Dropbox’s version of events sounds eminently plausible, and its advice is good (though those looking for added security might want to consider a Dropbox-compatible encryption service such as Boxcryptor).

Personally, I recently started using 1Password to generate and store strong passwords for the various services I use – funnily enough, it needs Dropbox to more easily synchronize between devices – and I turn on two-factor authentication wherever I can. As of this morning’s reminder, that includes two-factor for Dropbox.

2 Comments

Walt

DropBox has never been secure. They’ve had security issues in the past too, and offer throw-away comments about how it’s not as bad as it seems. They provide a great service that’s super convenient, you just can’t put any of your sensitive data up there.

Comments are closed.