Dropbox wasn’t hacked, says leaked credentials are from unrelated services
Dropbox has denied that they have been hacked, and that the login credentials leaked by a unknown individual on Pastebin are those of Dropbox users.
The leaker released the first batch of credentials some 12 hours ago, and has asked interested users to donate bitcoins in order for the leaks to continue. In the following hours, he or she continued to leak batches even though only one donation was made.
Simultaneously, more batches have been released by the same or another person, and another bitcoin address has been provided fo the donations (none have yet been given).
After news spread on Reddit, Dropbox has reacted pretty quickly and issued a statement.
“Your stuff is safe. The usernames and passwords referenced in these articles were stolen from unrelated services, not Dropbox. Attackers then used these stolen credentials to try to log in to sites across the internet, including Dropbox,” Anton Mityagin from the Dropbox security department noted in a post.
“Attacks like these are one of the reasons why we strongly encourage users not to reuse passwords across services. For an added layer of security, we always recommend enabling 2 step verification on your account,” he pointed out, adding that the company has measures in place to detect suspicious login activity and that they automatically reset passwords when it happens.
Mityagin also said that the subsequent lists of usernames and passwords that have been posted online have also been checked, and are not associated with Dropbox accounts.