There’s been a lot of headlines on tech sites over the last couple of days about Dropbox, the popular cloud-based storage service, claiming that it’s been hacked. According to reports, up to 6.9 million Dropbox usernames and passwords have been compromised, and a handful were leaked online in a pastebin post, with the alleged hacker soliciting “donations” to encourage additional leaks.
While Dropbox was little slow off the mark to respond – presumably wanting to confirm that their systems remain secure and untouched by unauthorised parties – the company yesterday released a denial:
Recent news articles claiming that Dropbox was hacked aren’t true. Your stuff is safe. The usernames and passwords referenced in these articles were stolen from unrelated services, not Dropbox. Attackers then used these stolen credentials to try to log in to sites across the internet, including Dropbox. We have measures in place to detect suspicious login activity and we automatically reset passwords when it happens.
Attacks like these are one of the reasons why we strongly encourage users not to reuse passwords across services. For an added layer of security, we always recommend enabling 2 step verification on your account.
The good news is after some work by Dropbox to get their hands on the leaked data and a comparison to their actual live data they updated the Blog Post.
Update: 10/14/2014 12:30am PT
A subsequent list of usernames and passwords has been posted online. We’ve checked and these are not associated with Dropbox accounts.
What does this mean for Dropbox users?
As always, be diligent with your data security. If you are alerted to an actual (or potential) compromise of your username and password, you should change your password immediately.
If you use the same username and password for Dropbox as another service, you should consider changing it. If you’re concerned that you won’t be able to remember lots of different passwords, consider using a password manager – LastPass is our choice.
If the service you’re using can support 2 step verification – which is offered by Dropbox – you should enable and use it. I use Authy as my authenticator app of choice for this.
You should check Have I Been Pwned, a site that can tell you if your email address has been found in data posted online by attackers.
Additionally, if you do use LastPass, you can ask it to check your password vault to ensure your passwords and unique on every site – a reused password is a big risk if a service you’re using falls to a malicious attack. Other password managers likely offer similar services, too. In particular, we like that LastPass will email you if they find your credentials in account lists posted online by hackers.
Security online is a game of compromises: Do you prefer to have your data always at your fingertips with the potential for a breach, or would you rather store your data privately on your own physical media that you can see and touch?
Were you affected by the Dropbox leaks? Do you prefer shared cloud or private storage for your data? Tell us in the comments.