Dropbox hacked, 7 million username & passwords released
On the heels of last week’s release of almost 100,000 stolen Snapchat pictures and videos, comes a new revelation. The popular cloud storage service Dropbox was allegedly hacked, and almost 7 million username & passwords were released on the website Pastebin. Someone on reddit posted a series of links on Monday evening to files that allegedly contained the stolen usernames and passwords. Other redditors chimed in right after the links were posted saying that they had been able to log in to some of the Dropbox accounts using the listed credentials. You can read the reddit thread here. http://www.reddit.com/r/sysadmin/comments/2j5xkw/has_dropbox_been_hacked_passwords_dumped_on/
Dropbox hacked, responds to the leak
The company released a statement on their company blog denying that their services had been breached. This was was in stark contrast to what was being said on reddit. Here is an excerpt from the Drobpox blog:
Recent news articles claiming that Dropbox was hacked aren’t true. Your stuff is safe. The usernames and passwords referenced in these articles were stolen from unrelated services, not Dropbox. Attackers then used these stolen credentials to try to log in to sites across the internet, including Dropbox. We have measures in place to detect suspicious login activity and we automatically reset passwords when it happens.
Attacks like these are one of the reasons why we strongly encourage users not to reuse passwords across services. For an added layer of security, we always recommend enabling 2 step verification on your account.
Dropbox seems to have bulk reset all the accounts listed in the Pastebin postings, though passwords for other accounts do not appear to have been reset. The hackers claim that they will release more username/password pairs if they receive donations to their Bitcoin address.
How to protect your account
Below are two steps you can take to protect your Dropbox account from any malicious activity.
1. Reset your password
To change your password, log in to your Dropbox account, click on your name and choose “settings.” Then, click on the security tab.
2. Enable two-factor verification
You can also enable two-factor verification, which requires either a cellphone or an app. A code will be sent to the cellphone or app whenever you (or someone else) attempt to access the account from a new device. The option to enable two-factor verification is found in the security tab.
The security page will also show you all devices that have been linked to your account as well as which ones are currently logged in.
Time to change your passwords
If you have a Dropbox account, then overall it is a good idea to change your passwords on any other website, app or service where you use the same username and password. As a rule of thumb, you always want to use a unique and different password for every site or app that you use. Below are some comments from redditors that explain the situation really well.