Dropbox hacked again?

This evening I was lying in bed reading a book and unwinding from a busy week. I was starting to feel a little drowsy when my phone buzzed on the nightstand. My friend Jason Kendall had just sent me a direct message on Twitter. “– you might want to look at @1775sec steam.” was the message. 

Hmm, a relatively new account. “Lulz” you say? This can’t be good for someone. I was right. The account is claiming that they have hacked Dropbox.com. Ouch! Dropbox has had a series of security issues over the last couple years.

Sure enough, there was the “experiencing issues” status page. Hmm.

Further to their announcement the account holder is threatening to release a database if they do not fix their issues in a timely manner. The plot thickens.

Several folks reached out to Dropbox including yours truly. Alice Truong from Fast Company received a response from Dropbox, “When asked if hackers/Anonymous had a role in outage, Dropbox repeats it was ‘an issue that arose during routine internal maintenance.'”

I hope for Dropbox’s customers that that they have not been compromised and the database isn’t about to be leaked. I’d not be pleased to have my credentials leaked. 

Once I hear back from Dropbox I will update the article.

Stay tuned.

[UPDATE]: Here is a link to an alleged database dump on pastebin. Which coincidentally matches this pastebin. (H/T Wesley McGrew)

[UPDATE 2]: I’ve received word back from Dropbox. They’re maintaining that this is an issue due to an internal issues and not due to a breach.

From: Dropbox PR TeamDate: Fri, Jan 10, 2014 at 10:48 PMSubject: Re: seeking comment: Dropbox possible compromise?To: Dave Lewis   

We are aware that the Dropbox site is currently down. This was caused during routine internal maintenance, and was not caused by external factors. We are working to fix this as soon as possible. We apologize for the inconvenience.

– Dropbox PR Team

[UPDATE 3] So, based on the obviously forged database leak and the note from the Dropbox folks, it looks like we can chalk this one to a hoax.

[UPDATE 4] And the final update comes to us from Dropbox. 

———- Forwarded message ———-

From: ********

Date: Fri, Jan 10, 2014 at 11:47 PM

Subject: Re: seeking comment: Dropbox possible compromise?

To: Dave Lewis 

   

Dropbox site is back up. 

 

In regards to claims of “leaked user information” – this is a hoax. This is not Dropbox data. The list was published 12/9/13 at: http://pastebin.com/64PAAV1c

 

Today’s outage was caused during internal maintenance, and was not caused by external factors. We apologize for any inconvenience.

Thanks for that update from the folks at Dropbox. I’m glad to see that no users had their information compromised.

It was mused by a couple people online “why would I care? I have two factor authentication enabled”. Well, sadly those people are in the minority. I wouldn’t want my credentials exposed for a very simple reason. I wouldn’t be alone.