An anonymous hacker has recently declared to have leaked a few hundred usernames and passwords from Dropbox accounts. A series of posts have in fact been made to Pastebin claiming to contain login credentials for hundreds of Dropbox accounts. The leak, which comes from an anonymous user taking Bitcoin donations for the full disclosure, contains accounts with email addresses starting with the letter "B". The hacker claims that more username/password pairs will be released as soon as they receive donations to their Bitcoin address. According to the hacker a total of 6,937,081 account credentials have so far been compromised.
In the meanwhile, Reddit users have tested some of the leaked credentials, and they have confirmed that at least some of them work. Dropbox seems to have done bulk reset on all the accounts listed in the Pastebin postings, though thus far other accounts do not appear to have had their passwords reset. In case your account was one of the "B" accounts already leaked, you should have already received a notification from Dropbox to reset your account.
A spokesperson from Dropbox has stated that the file hosting service has not been hacked, and that the leaked credentials are likely to come from third-party services. These usernames and passwords were unfortunately stolen from other services and used in an attempt to log in to Dropbox accounts. In addition, Drobox claims that the vast majority of the passwords posted have been expired for some time now, and with all probability even the other remaining
passwords have been expired as well.
Either way, it's probably a wise idea to change your Dropbox password to a strong secure password, and, if practical, enable two-factor authentication. This same procedure should be performed with any other website that uses the same credentials. A little bit of patience might also come to handy since the service currently appears to be experiencing some struggle to process password changes in a timely manner.
I could not have written this article without the help of the following sources:
- http://arstechnica.com/security/2014/10/7-million-dropbox-usernamepassword-pairs-apparently-leaked/
- http://gizmodo.com/change-your-password-hackers-are-leaking-dropbox-user-1645981610?utm_campaign=socialflow_gizmodo_facebook&utm_source=gizmodo_facebook&utm_medium=socialflow
- http://lifehacker.com/hundreds-of-dropbox-passwords-leaked-change-yours-now-1645982533?utm_campaign=socialflow_lifehacker_facebook&utm_source=lifehacker_facebook&utm_medium=socialflow