Updated 8:30pm Pacific with Dropbox’s response.
Hundreds of alleged usernames and passwords for Dropbox have been published on Pastebin, an anonymous information-sharing site.
The apparent hackers claim to have nabbed 6,937,081 passwords and today published a “teaser” of 400 username-password pairs. They requested donations in Bitcoin and promised to release more passwords based on how much of the virtual currency they receive. The usernames appeared in alphabetical order starting with firstname.lastname@example.org and ending with email@example.com.
Dropbox, however, says the hack is bogus. The company offered VentureBeat this response to our inquiry:
Dropbox has not been hacked. These usernames and passwords were unfortunately stolen from other services and used in attempts to log in to Dropbox accounts. We’d previously detected these attacks and the vast majority of the passwords posted have been expired for some time now. All other remaining passwords have been expired as well.
Subsequently, two more “teasers” appeared on Pastebin.
A Reddit thread first mentioned the apparent leak about three hours ago. The Reddit user who first submitted the link later said that usernames and passwords in the file actually did work.
Dropbox posted a warning against phishing scams on October 9.
While this hack may not be legitimate, and even though Dropbox says it expired most of these passwords long ago, the fact that someone on Reddit is claiming that the passwords do work is cause for concern.
It’s probably a good idea to change your password just to be safe — especially if you use the same password on multiple sites — and enable two-factor authentication, which Dropbox now supports.
Via The Next Web