It's been a rough few days for Dropbox. The popular cloud storage service recently had a bug in its Selective Sync system where many users suffered data loss. And if that weren't bad enough, it looks like nearly 7 million Dropbox accounts may have been compromised. Dropbox is used by bitcoin users around the world, many of whom keep unencrypted wallet.dat backups in their Dropbox. If this sounds like you, now would be a good time to change your Dropbox password, enable two-step verification, and only store an encrypted wallet backup in the cloud.
Just yesterday, an unnamed hacker group claimed to have login credentials for 6,937,081 Dropbox accounts. They have already released hundreds of credentials on Pastebin and have promised to release more for bitcoin donations.
"MORE BITCOIN = MORE ACCOUNTS PUBLISHED ON PASTEBIN
As more BTC is donated , More pastebin pastes will appear
To find them, simply search for "DROPBOX HACKED" and you
will see any additional pastes as they are published.
SEND BTC DONATIONS TO 1Fw7QqUgzbns7yWHH32UnmMxmMMwu6MC6h
COME BACK AND CHECK PASTEBIN FOR NEW DROPBOX DROPS
THE MORE BTC DONATED WILL REFLECT HOW MANY MORE LOGIN AND PASSWORDS
ARE RELEASED PUBLIC."
So far, the bitcoin address has only received 0.0032 BTC (roughly $1.30 USD). However, that doesn't seem to have deterred the hackers, who have now posted 5 batches of login information, each with hundreds of leaked credentials. Reddit users have confirmed that some of the passwords do work. However, other credentials may be old or expired.
Dropbox Says It Wasn't Hacked
Dropbox issued a statement regarding the leaked credentials yesterday on its blog.
"Recent news articles claiming that Dropbox was hacked aren’t true. Your stuff is safe. The usernames and passwords referenced in these articles were stolen from unrelated services, not Dropbox. Attackers then used these stolen credentials to try to log in to sites across the internet, including Dropbox. We have measures in place to detect suspicious login activity and we automatically reset passwords when it happens.
Attacks like these are one of the reasons why we strongly encourage users not to reuse passwords across services. For an added layer of security, we always recommend enabling 2 step verification on your account.
Update: 10/14/2014 12:30am PT
A subsequent list of usernames and passwords has been posted online. We’ve checked and these are not associated with Dropbox accounts."
In another statement to The Next Web, Dropbox assured users that "the vast majority of the passwords posted have been expired for some time now. All other remaining passwords have expired as well," and that many of the affected accounts had their passwords reset over "suspicious activity".
An Important Note on Privacy and Security
Many of the affected accounts were using weak passwords like "l23456", dictionary words, or first/last names. It would also be unsurprising if these users weren't using the same login credentials across multiple services. Using unique passwords for each account and enabling two-step verification can greatly minimise the chances of having one's online accounts compromised in attacks like this one, the recent "Snappening", and the celebrity iCloud hack.
Interestingly, Edward Snowden has warned that Dropbox is "hostile to privacy" and "a targeted you know wannabe PRISM partner." Just last week, Snowden also said that users who care about their privacy should "get rid of Dropbox," since the service doesn't support encryption. Perhaps, given recent events, now might be a good time to look into alternatives like SpiderOak, which does support encryption, or set up your own cloud storage system with tools like ownCloud?
Featured image from Shutterstock. Dropbox logo by Dropbox.
Do you use Dropbox? Please share your thoughts in the comments section below.