Hackers may have compromised 7m Dropbox accounts

Update (10:47): Dropbox has confirmed that it wasn’t hacked and that details posted online claiming to be usernames and passwords are fake. The cloud storage company said that the details were stolen from “unrelated services, not Dropbox”. Attackers then used the stolen credentials to attempt to login to Dropbox accounts.

“We have measures in place to detect suspicious login activity and we automatically reset passwords when it happens,” a spokesperson explained.

Dropbox said it had checked a list of usernames and passwords posted online and confirmed they were not associated with Dropbox accounts. Users are still encouraged to enable two-step verification whenever it is available and never to use the same password more than once.

Original story: Hackers have apparently compromised cloud storage company Dropbox, with a series of posts revealing the usernames and passwords of thousands of users – and those responsible claiming to have access to seven million more.

The account details were posted to Pastebin overnight, with the hackers suggesting 6,937,081 more records would be released if they receive donations to a bitcoin address. Reddit users have already confirmed the legitimacy of some of the leaked account details, although Dropbox has now taken steps to bulk reset all the accounts listed in the Pastebin documents.

According to a Dropbox spokesperson, the site itself has not been hacked, but rather obtained from other websites and used to try to log in to the locker service. “We’d previously detected these attacks and the vast majority of the passwords posted have been expired for some time now. All other remaining passwords have been expired as well,” the company explained in a statement.

Even though Dropbox says it is aware of the data breach and has already taken steps to change affected users’ passwords, large scale username and password leaks are a timely reminder not to use the same account details for multiple websites or services. It’s also a bad idea to store private documents that could be used for the purposes of identity theft in the cloud, at least in an unencrypted form, such as driving licence scans, passport details or digital versions of your signature.

If you are worried your account may be affected by the breach, it’s best to change your password just to be sure. Dropbox also supports two-factor authentication, which can further protect your account details from hacks such as this, by requiring you to enter a unique code, which changes every minute, when you log in, as well as your password.

To enable this, sign into the Dropbox website, click on your name in the upper right corner, then choose Settings -> Security from the menu that appears. Click Enable Two-factor Authentication to get started. You can choose to have the unique codes sent via SMS or generated via an app on your phone. We prefer the second method, using Google’s app – see our guide on how to use Google Authenticator for more information.