News reports are circulating on the web and offline that Dropbox has been breached, with millions of passwords in the hands of hackers. But is this the full story?
The Claim: Dropbox Has Been Hacked
On Sunday we began hearing the first rumours that Dropbox had been hacked. The implications of a password leak for users of the popular cloud storage service are considerable, from the loss of vital projects to personal data being stolen.
According to the hackers, 6,937,081 Dropbox accounts have been compromised, with a sample of 400 posted to Pastebin, demanding money in the Bitcoin crypto currency for more account names to be revealed.
MORE BITCOIN = MORE ACCOUNTS PUBLISHED ON PASTEBIN
As more BTC is donated , More pastebin pastes will appear
To find them, simply search for “DROPBOX HACKED” and you
will see any additional pastes as they are published.
FIRST TEASER – 400 DROPBOX ACCOUNTS Just to get things going…
It’s fair to say that 400 is a good number to start getting people interested. Immediately the news started appearing on tech sites and Reddit, dancing across Twitter and mainstream news sources.
As with other reports of leaks in the past few months, however (most recently with the overstated implications of The Snappening), it is fair to say that the claim that Dropbox had been hacked was an exaggeration of sorts.
“No We Haven’t” Says Dropbox
Responding to the claims, Dropbox – whose user base numbers over 220 million – released a blog post in which they denied the claims of a hack.
Recent news articles claiming that Dropbox was hacked aren’t true. Your stuff is safe. The usernames and passwords referenced in these articles were stolen from unrelated services, not Dropbox. Attackers then used these stolen credentials to try to log in to sites across the internet, including Dropbox. We have measures in place to detect suspicious login activity and we automatically reset passwords when it happens.
They later updated the blog:
A subsequent list of usernames and passwords has been posted online. We’ve checked and these are not associated with Dropbox accounts.
This, of course, would be reassuring if not for the fact that…
Some Credentials Work, Say Reddit Users
Just when you thought all was right with the world again, and that the hack was nothing more than a random collection of usernames and passwords acquired by spammers five years ago, it turns out that actually, Dropbox hasn’t been entirely forthright with its rebuff.
Reddit users have been checking some of the username and password combinations and found that some work.
This clearly causes a problem.
Although the list of names that the hackers claim to have is only around 3% of the total number of Dropbox users, it still represents a sizeable number of accounts.
You could be one of them.
You Must Know What To Do By Now: Change Your Password & Use 2FA!
So far in 2014 we’ve had accounts breached at eBay, as well as at JP Morgan, Home Depot and Target. We’ve also had claims of what can only be described as an über hack of 1.2 billion credentials that turned out to be at best spurious and at worst an attempt to farm usernames and passwords with a bogus “have you been hacked?” tool.
By now, you should be aware of what you need to do. Here’s a reminder:
First, change your Dropbox password. It should be something completely new, and if you’re stuck, use our guide to make secure, memorable passwords. You can change the Dropbox password by logging into the website, clicking on your name, then Settings > Security > Change password.
Whether you think you have been caught in this hack or not, it is safest to change the password.
Second, on the same screen, Enable the Two-step verification option. Follow the instructions for this, which will require either an SMS message sent to your phone for verification or the installation of an authenticator app. Android, iPhone and Blackberry users can install Google Authenticator while Windows Phone users have Authenticator.
Hacks and rumours of hacks are becoming increasingly commonplace. It is imperative to the safety of your digital persona – something that encompasses email, social networking and financial transactions – that you ensure your accounts are safe and secure.
Do you use Dropbox? Are you concerned by this alleged leak? Tell us your thoughts in the comments section.