Login details to over 7 million accounts on file sharing service Dropbox have been stolen, with the hacker requesting Bitcoin for the disclosure of information.

The details were posted in a Pastebin document, followed by several more posts which were since revealed to be fakes.

Meanwhile, Dropbox has taken to its blog to reassure users that the details were not stolen directly but from third parties, and that its API and security had not been compromised at any point:

“Recent news articles claiming that Dropbox was hacked aren’t true. Your stuff is safe. The usernames and passwords referenced in these articles were stolen from unrelated services, not Dropbox. Attackers then used these stolen credentials to try to log in to sites across the internet, including Dropbox.”

Nonetheless, the breach highlights the problems associated with placing trust in centralized operations and the flexibility of sharing user data. That the credentials were taken from parties other than Dropbox will likely add fuel to the fire regarding treatment of information.

In a previous statement to The Next Web, Dropbox further sought to quell any panic:

“These usernames and passwords were unfortunately stolen from other services and used in attempts to log in to Dropbox accounts. We’d previously detected these attacks and the vast majority of the passwords posted have been expired for some time now. All other remaining passwords have been expired as well.”

While all logins affected have now been reset, the response from Dropbox highlights that they were indeed genuine, TechCrunch notes, despite the fact that no accounts were in fact compromised by malicious activity.

“If it’s a case of simple password cross pollination (i.e. web users reusing the same login credentials) across multiple services then Dropbox’s claim that its servers have not been hacked does technically stand up,” it says. “However the end result — user accounts compromised — is the same.”

Dropbox logo

Alternatives to ensure security include SpiderOak, which uses a zero knowledge system to make attempted hacking unfeasible.

Meanwhile, the true extent of information in the wrong hands is difficult to determine; a mixture of “exaggeration” and “downplaying”, as one Gizmodo commenter writes, serves as a timely reminder of the imperfections of current mainstream security norms used by Dropbox and other allegedly affected sites.

Dropbox offers a 2-factor authentication feature, use of which is optional but would have created considerable difficulty in accessing accounts. Whether heightened security requirements will be implemented for users in future has not yet been revealed, but the onus will be on Dropbox to reassure the community that a repeat theft – or indeed a full-blown hack – can and will be prevented in future.

Community commentary

Michal Wendrowski (Internet Security Specialist, Rublon):

"This incident shows again that relying on passwords, in particular reusable passwords, poses a threat to the safety of the Internet as a whole. The passwords were supposedly stolen from other services, but they might have also been generated by the attacker and used in a brute force or dictionary attack.

"There are many possibilities and we will probably not be informed about the exact circumstances of the attack. Services are responsible for their users' safety. To assure this, they need to enable account protection for everyone by default. The protection level needs to be aligned to the type of service. Performing a money transfer should require a confirmation using your phone, but signing in to an online chat might only require identity proof via email.

"I strongly recommend to only use cloud services that allow you to protect your account via two-factor authentication. Relying on passwords poses a threat to your safety. These attacks will continue."


Did you enjoy this article? You may also be interested in reading these ones: