Unidentified hackers recently posted several hundred email address and password combinations for Dropbox accounts on Pastebin, claiming that a total of 6,931,081 accounts had been hacked and asking for Bitcoin donations.
"As more BTC is donated, more Pastebin pastes will appear," the hackers wrote.
In response, Dropbox security engineer Anton Mityagin stated in a blog post that Dropbox had not been hacked, and that any matching credentials were the result of password reuse, not a breach.
"Your stuff is safe," Mityagin wrote. "The usernames and passwords ... were stolen from unrelated services, not Dropbox. Attackers then used these stolen credentials to try to log in to sites across the Internet, including Dropbox. We have measures in place to detect suspicious login activity and we automatically reset passwords when it happens."https://o1.qnsr.com/log/p.gif?;n=203;c=204660766;s=9477;x=7936;f=201812281312070;u=j;z=TIMESTAMP;a=20392931;e=i
In a statement provided to The Next Web, the company added, "We'd previously detected these attacks and the vast majority of passwords posted have been expired for some time now."
"Attacks like these are one of the reasons why we strongly encourage users not to reuse passwords across services," Mityagin explained. "For an added layer of security, we always recommend enabling two step verification on your account."
Still, it may be difficult to do so in the short term -- several people posted comments on the Dropbox blog complaining that the two-step verification process wasn't working. "Dropbox says to enable 2-step auth... and it doesn't work," Josh S wrote. "Been trying it for 3 hours now. Never get the code."
In a similar breach last month, a hacker published login credentials for 4,929,090 Gmail accounts. In response, Google claimed that the leak was not the result of a Gmail breach.
"Often, these credentials are obtained through a combination of other sources," Google explained at the time. "For instance, if you reuse the same username and password across websites, and one of those websites gets hacked, your credentials could be used to log into the others."
In Dropbox's case, Malwarebytes Labs malware intelligence analyst Chris Boyd told eSecurity Planet by email that the posts on Pastebin were likely either an attempt to scare people into setting up two-factor authentication, or a grab for Bitcoins. "Given [Dropbox's] claim there's been no compromise and all of the 'sample' accounts were already expired, it's looking more like the latter," he said.
"Anyone can post extravagant claims to Pastebin and while there's no harm in changing a password once word of a potential breach gets out, we shouldn't panic, and wait until more concrete information comes to light," Boyd added.
Paul Trulove, vice president of products at SailPoint, said it's particularly worrying that the breach appears to have been the result of password reuse, an issue that's far too common. "In fact, [last year], SailPoint found that half of business leaders in the U.K., and 40 percent in the U.S., admitted to reusing the same password across personal and work applications," he said.
"By doing so, these business users are creating potentially large ramifications on the company's security because then a single password breach -- like what Dropbox is claiming -- can all too easily cascade across a myriad of other applications," Trulove added.
A recent eSecurity Planet article examined ways of enforcing password complexity without alienating users.