Popular online locker service Dropbox appears to have been hacked. A series of posts have been made to Pastebin allegedly containing login credentials for hundreds of Dropbox accounts. The poster claims that 6,937,081 account credentials in total have been compromised.
reddit users who tested some of the leaked credentials have confirmed that at least some of them work. Dropbox seems to have bulk reset all the accounts listed in the Pastebin postings, though thus far passwords for other accounts do not appear to have been reset.
The hackers claim that they will release more username/password pairs if they receive donations to their Bitcoin address.
Dropbox responded in a blog post on 13th October:
“Recent news articles claiming that Dropbox was hacked aren’t true. Your stuff is safe. The usernames and passwords referenced in these articles were stolen from unrelated services, not Dropbox. Attackers then used these stolen credentials to try to log in to sites across the internet, including Dropbox. We have measures in place to detect suspicious login activity and we automatically reset passwords when it happens.
Attacks like these are one of the reasons why we strongly encourage users not to reuse passwords across services. For an added layer of security, we always recommend enabling 2 step verification on your account.
Update: 10/14/2014 12:30am PT
A subsequent list of usernames and passwords has been posted online. We’ve checked and these are not associated with Dropbox accounts.“