A thread posted on Reddit today claiming a massive hack of 7 million Dropbox accounts. The post contained hundreds of usernames and passwords as a tease to “prove” the veracity of the claim. Dropbox, however, says the claims are false.
Hackers posted the thread on Reddit, and some Reddit users allegedly confirmed that at least some of the leaked credentials actually work. Even if that’s true, though, we don’t yet know where the credentials came from, or how the attackers were able to obtain them. It’s premature to just assume that Dropbox itself was hacked in any way.
“We saw this kind of claim after the news of the eBay breach—someone posted an ad saying they had the data from the eBay compromise and would sell it for bitcoin. Analysis of the free “sample” they offered revealed that the information was not from eBay at all,” cautioned Tod Beardsley, engineering manager, Rapid7. “It is not necessarily the case that the same is true here—the data could be from Dropbox—but until Dropbox confirms a breach, or the data being offered is analyzed and verified as being from Dropbox, this is all just speculation.”
In fact, Dropbox has responded to state unequivocally that it was not hacked. In a statement to The Next Web, Dropbox asserted, “Dropbox has not been hacked. These usernames and passwords were unfortunately stolen from other services and used in attempts to log in to Dropbox accounts. We’d previously detected these attacks and the vast majority of the passwords posted have been expired for some time now. All other remaining passwords have been expired as well.”
The moral of the story? Don’t believe everything you read online—especially if it was written by would-be cybercrooks in the first place.
The secondary moral of the story is to make sure you don’t re-use username and password combinations between different sites and services. If you do that, a compromise of one site or service can have a domino effect that leads to other sites and services being compromised as well.
Beardsley stressed, “Regardless of the veracity of the claim of compromise, the advice given by Dropbox is still applicable: users should avoid reusing passwords between services. At a minimum, email passwords should be unique and rotated often in order to avoid password reset attacks."