Dropbox officials on Monday said that a large cache of usernames and passwords posted online and alleged to have come from the company’s users are not related to Dropbox customer accounts.
A spate of media reports reported yesterday that attackers had stolen several million sets of credentials from Dropbox and posted them online. The claim of the anonymous hacker who posted the credentials was unverified and some experts warned that the information easily could have come from a third-party service. Attackers are prone to taking credentials stolen in one hack and reposting them as data from another company.
Dropbox officials said they had looked at the posted information and verified that it wasn’t stolen from the company.
“Recent news articles claiming that Dropbox was hacked aren’t true. Your stuff is safe. The usernames and passwords referenced in these articles were stolen from unrelated services, not Dropbox. Attackers then used these stolen credentials to try to log in to sites across the internet, including Dropbox. We have measures in place to detect suspicious login activity and we automatically reset passwords when it happens,” Anton Mityagin of Dropbox said in a blog post.
Dropbox is a frequent target for attackers, who covet the data that the company’s millions of users upload to the service. The company’s service allows users to upload files to Dropbox servers and share them with others via private links. Gaining access to a customer’s account through a stolen username and password would give the attacker the ability not just to see what content that victim had uploaded, but also any data that had been shared with the victim by other users. To help defeat these attacks, Dropbox has had a two-step verification system available for some time.
“Attacks like these are one of the reasons why we strongly encourage users not to reuse passwords across services. For an added layer of security, we always recommend enabling 2 step verification on your account,” Mityagin said.