Popular online locker service and cloud storage service Dropbox appears to have been hacked. A series of posts have been made to Pastebin purporting to contain login credentials for hundreds of Dropbox accounts, with the poster claiming that altogether 6,937,081 account credentials have been compromised. The hackers apparently are willing to divulge more username/password pairs if they receive donations to their bitcoin address.
The hacker who has leaked the login credentials in three tranches as of now. The first tranche given here was leaked 6 hours ago and the second one given here was just 4 hours ago. While writing this article another of these leaks, which the hacker calls ‘Dropbox Hack Teaser’ has been leaked here As the three pastes dont contain all the 6,97,0381 Dropbox account credentials claimed to hacked and just like the hacker says, this are Dropbox hack teasers, there will be flood of pastes to follow.
Reddittors confirm that passwords work
The leak apparently surfaced on this Reddit thread, where the other Reddit users who have tested some of the leaked credentials have confirmed that many of still work. Going by the comments on Reddit, Dropbox seems to have bulk reset all the accounts listed in the Pastebin postings and that is the reason, logging on to those accounts will require you to put in a Captcha code. But thus far other accounts do not appear to have had their passwords reset.
Still, a lot more confirmed that the leaked credentials are working.
Dropbox has sent the following statement to ArsTechnica
Dropbox has not been hacked. These usernames and passwords were unfortunately stolen from other services and used in attempts to log in to Dropbox accounts. We’d previously detected these attacks and the vast majority of the passwords posted have been expired for some time now. All other remaining passwords have been expired as well.
In the meantime, Techworm requests all Dropbox users to change your passwords ASAP and enable a two-factor authentication. Due to the leaks, Dropbox is apparently struggling to keep up with the process of passwords change and enabling two-factor authentication but it would be wise to get it done soon.
Update: In a blogpost Dropbox said that it wasn’t hacked. The brief statement is given below :
Recent news articles claiming that Dropbox was hacked aren’t true. Your stuff is safe. The usernames and passwords referenced in these articles were stolen from unrelated services, not Dropbox. Attackers then used these stolen credentials to try to log in to sites across the internet, including Dropbox. We have measures in place to detect suspicious login activity and we automatically reset passwords when it happens.
A subsequent list of usernames and passwords has been posted online. We’ve checked and these are not associated with Dropbox accounts.