A Pastebin user posted 400 login credentials on Monday after a purported Dropbox hack, however Dropbox denies that it was compromised. The company claims the credentials came from somewhere else and will no longer work.
The Pastebin post promises to release more of nearly 7 million allegedly compromised credentials in return for Bitcoin “donations.” Shortly after the post, Reddit users confirmed that some of the leaked email address and password combinations worked.
Also on Monday, Dropbox published a blog post denying that it had been hacked, and suggesting that the credentials originally came from elsewhere.
“The usernames and passwords referenced in these articles were stolen from unrelated services, not Dropbox,” says Anton Mityagin of Dropbox security in the blog post. “Attackers then used these stolen credentials to try to log in to sites across the internet, including Dropbox.”
The post also urges users not to use the same passwords for different services, and to enable two-step verification. Dropbox also told Ars Technica that it was previously aware of related attacks, and that all posted passwords are now expired, and further that the vast majority had expired previous to being posted.
The Reddit thread includes some pointed criticism of those whose credentials were leaked, suggesting that they were the low-hanging fruit, because they appeared not only to be reusing passwords across different services, but that the passwords were also so simple and obvious they could easily be guessed or hashed.
Dropbox had a difficult Columbus Day weekend, as a Selective Sync bug deleted some user files. Edward Snowden also reiterated earlier criticism of Dropbox’s lack of privacy protection during a remote interview for the New Yorker Festival.
Users relying on cloud services to store sensitive information without bothering to create complex passwords or use current authentication techniques seem to have received another public warning.
There is still no confirmation that the Pastebin poster ever possessed the nearly 7 million credentials claimed, despite the alarmist hurry of some media to repeat it without qualification. If that reflects a common desire to believe the claims, then gullible cybercriminals will likely be the real “victims” of this breach, as their donated Bitcoins will get them nothing.