Dropbox Accounts Passwords leaked online nearly 7 Million

Drop-box  the popular online locker service, appears to have been hacked by an unnamed hacker group. It is still unclear how the account details of so many users were accessed and, indeed, if they are actually legitimate or not. However, the group claims to have accessed details from nearly 7 million individual accounts and are threatening to release users’ photos, videos and other files.


A thread surfaced on Reddit today that include links to files containing hundreds of usernames and passwords for Drop-box accounts in plain text. Also a series of posts with hundreds of alleged usernames and passwords for Drop-box accounts have been made to Pastebin, an anonymous information-sharing site.

A message annotated at the top of the leaks said:

Here is another batch of Hacked Drop-box accounts from the massive hack of 7,000,000 accounts
To see plenty more, just search on [redacted] for the term Drop-box hack.

Hackers have already leaked about 400 accounts by posting log in credentials, all starting with the letter B, and labelled it as a “first teaser…just to get things going“. The perpetrators are also promising to release more more password details if they’re paid a Bit-coin ransom.


The security breach in Drop-box would definitely have bothered its millions of users and since passwords are involved in this incident, so it has more frightening consequences on its users. Reddit users have tested some of the leaked username and password combinations and confirmed that at least some of them work.


However, Drop-box has denied it has been hacked, saying the passwords were stolen apparently from third-party services that users allowed to access their accounts. In a statement to The Next Web, Drop-box said:
Drop-box has not been hacked. These usernames and passwords were unfortunately stolen from other services and used in attempts to log in to Drop-box accounts. We’d previously detected these attacks and the vast majority of the passwords posted have been expired for some time now. All other remaining passwords have expired as well.”


Until the full scope of the problem is known, it’s probably worthwhile changing your password. But whether the attack is confirmed or not, it’s a good idea to change your password just to be on a safer side — especially for those users who use same password for multiple services.
Users are also recommended to turn on two-factor authentication, which Drop-box now supports and install a time-based, one-time password app on a mobile device.

Update: Drop-box has issued a statement on its blog further clarifying that the Drop-box passwords were stolen from unrelated services.

Drop-box says it performed password resets when it detected ‘suspicious activity’ on these accounts a few months ago.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s