Millions of Dropbox credentials hacked from 3rd party services [UPDATE]

Just when you though Dropbox was in the clear, a storm suddenly rises to dump a rain of worries on the service’s millions of users. As much as 7 million usernames and their corresponding passwords have reportedly been accessed, with a few of them “teased” with a pastebin posting. This incident comes shortly on the heels of yesterday’s revelation of a bug in Dropbox’s desktop client that lead to some data loss. Considering passwords are involved, this new development, however, has more frightening consequences.

Aside from safeguarding the Dropbox account itself, the problem with passwords is that users tend to reuse them and be lazy about it, preferring to use easy to remember and easy to guess combinations rather than strong and somewhat obscure ones. In short, there’s a high chance that once a user’s password has been compromised in one site, the same password is likely to open the doors to other services as well, which is what could happen with this latest incident. One short segment of the full list of hacked passwords, amusingly all starting with B’s, was made public on a Reddit thread, where other Redditors have chimed in to confirm that the passwords do actually work.

Dropbox has already been made aware of the situation and has already expired the passwords of those affected, forcing them to change their passwords, hopefully before anyone has had the chance to extract critical user information and files. But while Dropbox is fast in acting, it is also seemingly washing its hands of guilt from the incident. According to the company, its service has not been hacked. Instead, the leaked credentials came from third party services that connect to Dropbox and have been compromised. Dropbox also claims to have been aware of such attacks and have expired any affected passwords.

Regardless of whether you received Dropbox’s worrying email or not, now would be a good time to change your password for the service, and perhaps to take stock of other popular and frequently targeted accounts that you might have in your utility belt. It is also an opportune time to learn about two-step authentication, which many services including Dropbox offer, and to enable them. It may not prevent your password from being stolen in this context, but it definitely prevents anyone from accessing your account using just the password. Hopefully you don’t use the same password for other sites without two-step authentication.

[UPDATE] Dropbox has now made an official, short, and to the point statement about the incident. Dropbox was not hacked. The credentials stolen came from unrelated third party services that were then to used to attempt to login to different web services, which just happened to include Dropbox. Dropbox, however, says that it has security measures in place to detect such attempts and expires passwords when that happens. Here’s Dropbox’s statement in full:

“Recent news articles claiming that Dropbox was hacked aren’t true. Your stuff is safe. The usernames and passwords referenced in these articles were stolen from unrelated services, not Dropbox. Attackers then used these stolen credentials to try to log in to sites across the internet, including Dropbox. We have measures in place to detect suspicious login activity and we automatically reset passwords when it happens.”

VIA: The Next Web, Reddit