Dropbox: We Weren't Hacked, Your Password Wasn't Stolen

Following reports that Dropbox had been hacked and user logins were stolen, the online storage service has said that's not so and instead the user names and passwords were taken from other sites. Several hundred logins appeared on Reddit with the claim that the hackers have user names and passwords for more than 7 million accounts and the promise more will be released in exchange for Bitcoin payments.

Dropbox says password list wasn't stolen from its serversDropbox says password list wasn't stolen from its servers

Dropbox's Anton Mityagin responded to the claim by saying,

Recent news articles claiming that Dropbox was hacked aren't true. Your stuff is safe. The usernames and passwords referenced in these articles were stolen from unrelated services, not Dropbox. Attackers then used these stolen credentials to try to log in to sites across the internet, including Dropbox. We have measures in place to detect suspicious login activity and we automatically reset passwords when it happens.

The logins may have come from other sites and services, but that doesn't mean they were storing Dropbox credentials. What's more likely is that people are using the same user name and password for multiple services, so their stolen logins also happen to be the same for Dropbox.

That may not, however, be the case because Dropbox has said it cross referenced the "leaked" logins and early this morning said they aren't legit.

"A subsequent list of usernames and passwords has been posted online," Mr. Mityagin said. "We’ve checked and these are not associated with Dropbox accounts."

Which casts the promise of more logins in exchange for money in a new light. Instead of extorting money from potential victims hoping to keep their passwords safe, this scheme preys on greedy hackers hoping for an easy list of logins without any effort.

Regardless of whether or not the list holds any legit Dropbox logins, the lesson for users is still clear: Don't use the same password on multiple sites, and don't use easy to guess passwords.