Dropbox Confirms Compromised Account Details But Says Its Servers Weren’t Hacked

After last week’s Snapchat photo hack, it’s cloud storage provider Dropbox’s turn in the unsavory insecurity spotlight. An anonymous Pastebin user has claimed to have compromised almost seven million Dropbox account credentials (emails and passwords), posting the first 400 direct to Pastebin with a call for Bitcoin donations to leak more.

This leak has since been followed up with a couple more pastes (of around a hundred account credentials apiece). However these follow up pastes do not appear to be genuine. In an update to a blog post about the attack Dropbox notes: “A subsequent list of usernames and passwords has been posted online. We’ve checked and these are not associated with Dropbox accounts.”

As with the Snapchat hack, Dropbox has pointed the finger of blame for the 400 compromised accounts elsewhere — at “unrelated” third party services — stressing that its own security has not been compromised.

However unlike Snapchat it appears services using Dropbox’s API were not to blame here. Rather the culprit looks like password reuse across other web services.

In a post on the company Blog — unequivocally entitled ‘Dropbox wasn’t hacked‘ — Dropbox’s Anton Mityagin writes:

Recent news articles claiming that Dropbox was hacked aren’t true. Your stuff is safe. The usernames and passwords referenced in these articles were stolen from unrelated services, not Dropbox. Attackers then used these stolen credentials to try to log in to sites across the internet, including Dropbox. We have measures in place to detect suspicious login activity and we automatically reset passwords when it happens.

Attacks like these are one of the reasons why we strongly encourage users not to reuse passwords across services. For an added layer of security, we always recommend enabling 2 step verification on your account.

In an earlier statement given to The Next Web the company also noted that it had “previously detected these attacks”, adding that “the vast majority of the passwords posted have been expired for some time now”:

Dropbox has not been hacked. These usernames and passwords were unfortunately stolen from other services and used in attempts to log in to Dropbox accounts. We’d previously detected these attacks and the vast majority of the passwords posted have been expired for some time now. All other remaining passwords have been expired as well.

It’s unclear exactly which other website(s) or service(s) is the source of the security breach. But Dropbox’s statement confirms the initially posted credentials are — or rather were — genuine account logins for its service. Albeit now reset. It also says no actual accounts were compromised as a result of the leaked credentials.

If it’s a case of simple password cross-pollination (i.e. web users reusing the same login credentials) across multiple services then Dropbox’s claim that its servers have not been hacked does technically stand up. However the end result — user accounts compromised — is the same.

Requiring users to enable an additional step aimed at safeguarding their accounts from these types of attacks, such as enforcing two-step authentication, would result in more robust protection from this type of password hack. But obviously requiring that step would add an additional layer of complexity for users. Hence the ongoing tug of war between security and convenience. (And throw in hackers hoping to make a quick buck from Bitcoin donations and there’s yet another strand in play.)

Dropbox was in the news earlier this week after coming under fire from NSA whistleblower Edward Snowden as “hostile to privacy” — referring to its ability to access your data itself, which is yet another security consideration when it comes to web services.

Snowden warned web users that Dropbox does not safeguard their privacy because it holds encryption keys and can therefore be forced by governments to hand over the personal data they store on its servers. He suggested people get rid of Dropbox and use alternative cloud storage providers that do not hold any encryption keys (and therefore cannot read your data) — name-checking rival cloud storage provider SpiderOak.