clock menu more-arrow no yes

Filed under:

Dropbox says it wasn't hacked, released passwords 'were stolen from unrelated services'

New, 17 comments

Yesterday, a plain-text file was posted to Pastebin with a provocative headline claiming Dropbox was hacked — the file itself contained some 400 email and password combos that supposedly opened up Dropbox accounts. Those 400 leaked passwords were supposedly just a taste of nearly 7 million total email / password combos that the hackers accessed; the leaker promised to release more and more of them as long as users donated Bitcoin to the "cause."

The news spread quickly on Twitter, with plenty of users cursing Dropbox's apparently lax security, but the company was quick to defend itself. In a blog post last night, Dropbox said unequivocally that it was not hacked. While the origin of the usernames and passwords is not entirely clear yet, Dropbox has confirmed that they are not specifically usernames and passwords from its servers — instead, they're a collection of logins from across the internet, collected at various times and from various sources.

Dropbox claims the attackers used the data to try and log into its service (and it's entirely likely those accounts were used to try and access other internet services, as well). The company says its measures to detect suspicious logins mitigated any potential security breaches — suspicious login attempts are typically met with a mandatory password reset. "Your stuff is safe," the company writes in its official blog. "The usernames and passwords referenced in these articles were stolen from unrelated services, not Dropbox."

But while there doesn't seem to have been a new hack behind this latest password dump, it's a reminder that old passwords are easy to find on the dark web. By now, hackers probably have the password you used on LinkedIn before 2012, for example. The question is whether there's anything they can do with it. If you're practicing good security -- changing passwords frequently, using a different one for each service and using two-factor where available -- then your old LinkedIn password won't matter, just like it won't matter if your old login was part of today's Dropbox dump. If not, this kind of password dump should be a reminder to tighten up. It's free, easier than you think, and it could save you a lot of trouble down the road.

Russell Brandom contributed to this report.