Hackers are claiming to have acquired the log-in usernames and passwords of almost 7 million users of Dropbox, with a series of posts made on Pastebin containing what appear to be the log-in credentials of hundreds of accounts for the cloud storage service.
The person making the posts is claiming to be in possession of the log-in credentials of a total of 6,937,081 accounts. Users on the online forum Reddit tested the leaked passwords and have confirmed that some of them are legitimate.
The hackers that stole the credentials said that they will be releasing more usernames with their corresponding passwords unless they are paid a ransom in Bitcoin.
Anton Mityagin, a security engineer for Dropbox, wrote on the company's official blog that the website was not hacked. According to him, the passwords that the hackers obtained were acquired through unrelated, third-party services and not Dropbox itself.
Mityagin added that the hackers used the stolen credentials across a variety of websites, with Dropbox just one of them. He added that Dropbox has certain security measures in effect that could pinpoint any suspicious attempts to log-in, with an automatic response of resetting the account's password when such activity is detected.
"Attacks like these are one of the reasons why we strongly encourage users not to reuse passwords across services," Mityagin added, recommending the service's two-step verification system for an additional layer of protection on the accounts of Dropbox users.
The post was eventually updated to include that log-in credentials posted by the hackers online were checked by Dropbox and confirmed that they are not associated with accounts on the service.
The hacked log-in credentials underscores the importance of strong passwords for users. However, according to an expert in cybersecurity, providers of cloud-based services should also do their part in providing better security education to their users.
"It's a shared responsibility — the providers' responsibility is to protect the service, but the users' responsibility is to protect their credentials," said Adallom senior vice president Tal Klein. "Every time you put data in the cloud, you need to do a quick summation of how valuable the data is and how it should be protected."
The release of the hacked passwords come right after the Snappening, wherein a massive 13GB collection of pictures and videos sent through Snapchat was uploaded by hackers on the online forum 4chan.
The incident is shocking because the messages sent through Snapchat are supposed to delete themselves after a definite amount of time.
"Dropbox has not been hacked. These usernames and passwords were unfortunately stolen from other services and used in attempts to log in to Dropbox accounts. We'd previously detected these attacks and the vast majority of the passwords posted have been expired for some time now. All other remaining passwords have been expired as well," a Dropbox spokesperson told Tech Times.