Dropbox blames other services for claimed 7 million password hack

This is your regularly scheduled reminder to turn on two-factor authentication where available.
Written by Chris Duckett, Contributor

An unnamed hacker group is claiming that it has accessed 6,937,081 Dropbox accounts, and, when paid enough in Bitcoin, the group intends to publish more than the 1,200 usernames and passwords that it has released.

After publication, Dropbox issued a statement saying that it had not been hacked.

"These usernames and passwords were unfortunately stolen from other services and used in attempts to log in to Dropbox accounts," the company said.

"We'd previously detected these attacks and the vast majority of the passwords posted have been expired for some time now. All other remaining passwords have been expired as well."

For what it is worth, some Reddit users have said that the login credentials work, while others report that Dropbox is expiring the passwords on the affected accounts.

With over 220 million users, the hacker group can only lay claim to having access to around 3 percent of the Dropbox database, at best.

Whether this attack is confirmed or not, best practice continues to recommend that users turn on two-factor authentication and install a time-based, one-time password app on a mobile device.

Dropbox has already suffered the indignity of admitting its Selective Sync application had deleted a number of files for some of its users.

"Unfortunately, some of your files were deleted when the Dropbox desktop application was shut down or restarted while you were applying Selective Sync settings," the company said in an email to users. "We're very sorry about what happened. There's nothing more important to use than making sure your information is safe and always available."

The company has been giving affected users a free year of Dropbox Pro.

In 2012, Dropbox found that usernames and passwords were stolen from other websites to log into a "small number" of Dropbox accounts.

"Keeping Dropbox secure is at the heart of what we do, and we're taking steps to improve the safety of your Dropbox, even if your password is stolen," said vice president of engineering Aditya Agarwal at the time.

A year prior, Dropbox admitted that it had inadvertently published code on its website that allowed anyone to sign in to any Dropbox account without credentials.

Update: Added Dropbox response and changed headline to reflect statement

Editorial standards