Were Dropbox Passwords Hacked?Hackers' Claims Debunked by Company
Hackers are claiming to have obtained usernames and passwords for 7 million Dropbox accounts. But the cloud storage company says it wasn't breached and that the credentials do not appear to be associated with Dropbox accounts. It says the credentials likely came from "unrelated services."
"Attackers ... used these stolen credentials to try to log in to sites across the Internet, including Dropbox," the company says in an Oct. 13 blog post. "We have measures in place to detect suspicious log-in activity and we automatically reset passwords when it happens."
The self-proclaimed hackers have been teasing the stolen credentials on Pastebin, releasing small "sample" amounts of accounts.
"Attacks like these are one of the reasons why we strongly encourage users not to reuse passwords across services," Dropbox says.
The credential leak highlights the need to enable two-factor authentication for online services such as Dropbox, which is recommending its users enable the functionality on their accounts.
"Businesses should be identifying users in their environments who have Dropbox installed on their systems and either force them to remove it or enable two-factor authentication," says Tim Erlin, director of security and risk at Tripwire, a cyberthreat detection company.
The incident appears to be a scare tactic, because Dropbox claims there's been no compromise, says Chris Boyd, an analyst at Malwarebytes, an anti-malware firm. "Anyone can post extravagant claims to Pastebin," he says. "While there's no harm in changing a password once word of a potential breach gets out, we shouldn't panic and wait until more concrete information comes to light."