Dropbox Claimed Its Logins Were Not Hacked

The file-storage service has denied claims that 7 million usernames and passwords have been stolen by the hackers, who were then threatening to leak them online. The hackers posted a few hundred usernames and passwords on the text-sharing site Pastebin. The cyber attackers claimed that it was just a small portion of the 7 million logins stolen directly from the Dropbox servers. The Bitcoin “donations” were demanded from the netizens to release the rest of the stolen data.

However, the Dropbox’s security team pointed out that the usernames and passwords posted online were stolen from unrelated services and used to log in to various websites across the web, including Dropbox. The company employs measures to detect suspicious login activity and automatically resets passwords when such is detected. Moreover, the security experts found out that subsequent lists of usernames and passwords were not connected with Dropbox accounts.

Apparently, it was due to password reuse that some of the leaked details appeared seemingly coincidentally valid for Dropbox. It is unclear how many of them worked, but the service has since revoked any that were valid. Password reuse remains a common phenomenon, so there will always be a chance they could appear valid on unrelated services.

The security experts explain that other password leaks have been used by the hackers in a similar manner in the hopes to sell the data on. For example, the Russian hacking scare a few months ago, where security researchers claimed hackers obtained 1.2bn usernames and passwords, was questioned as a similar situation, i.e. a collation of previous leaks combined with other data. In some cases people looked for Bitcoin donations where the data didn’t exist at all, in others the data wasn’t for the services claimed and didn’t origin from the sources claimed.

Dropbox and other services recommend users to adopt two-factor authentication. In other words, to use another device like a number generator mobile app or USB key as a secondary login factor. Although this way might add an inconvenient step in the use of apps and services, it can prevent others from logging into the service from an unknown device or a suspicious location. Such method is used by Dropbox, Google, Facebook and other major services.

Source: Extratorrent