It’s up to DropBox, an archive of nearly 7 million Dropbox login credentials has been published on PasteBin. A guest account post on Pastebin four different documents, all claiming to be part of “the massive hack of 7,000,000 accounts”. The author also anticipated that there are “More to come” if punters “keep showing your support” by making Bitcoin payments to the author.
Other sources report that the data leak apparently surfaced on this Reddit thread, where some Reddit users who have tested the credentials have confirmed that many of them still work. Reading the comments it seems that Dropbox in response to the data leakage has reset all the accounts listed in the Pastebin.
Unfortunately for the mysterious hacker, most of the 400 credentials posted as proof of the hack were no more valid, meantime Dropbox denies its systems were hacked and sustains that data have a different origin.
“Dropbox has not been hacked,” the company told the outlet. “These usernames and passwords were unfortunately stolen from other services and used in attempts to log in to Dropbox accounts.
“We’d previously detected these attacks and the vast majority of the passwords posted have been expired for some time now. All other remaining passwords have been expired as well.” states Anton Mityagin in an official announcement from the company. “Recent news articles claiming that Dropbox was hacked aren’t true. Your stuff is safe. The usernames and passwords referenced in these articles were stolen from unrelated services, not Dropbox. Attackers then used these stolen credentials to try to log in to sites across the internet, including Dropbox. We have measures in place to detect suspicious login activity and we automatically reset passwords when it happens.”
According to the DropBox, a subsequent list of credentials has been disclosed online, but checks made by the company confirms that the new wave of username and password are not associated with Dropbox accounts.
DropBox anyway urges its customers to enable 2 step verification for the authentication of their accounts.
(Security Affairs – DropBox, data leakage)