Security PSA: Dropbox Passwords Leak on Reddit, Change Yours Now

Security PSA: Dropbox Passwords Leak on Reddit, Change Yours Now

Dropbox Logo 310x

Dropbox says it was not breached, leaks came from third-party app service.

The Next Web is reporting that "hundreds" of Dropbox passwords were posted on Pastebin, then Reddit, after what's being called a third-party app security breach.

A post on the r/SysAdmin subreddit links to a Pastebin post, which reportedly contains the emails and passwords of 400 users. What's worse is the preamble in the Pastebin post, which reads:

***** DROPBOX HACKED *****

6,937,081 DROPBOX ACCOUNTS HACKED
PHOTOS - VIDEOS - OTHER FILES

MORE BITCOIN = MORE ACCOUNTS PUBLISHED ON PASTEBIN
As more BTC is donated , More pastebin pastes will appear
To find them, simply search for [redacted] and you
will see any additional pastes as they are published.

Nearly seven million Dropbox accounts are being threatened, although Dropbox is denying the scope of the security compromise. "Dropbox has not been hacked," said the company in a statement to the press. "These usernames and passwords were unfortunately stolen from [third-party] services and used in attempts to log in to Dropbox accounts."

Dropbox confirmed that it had reached out to the several hundred affected users, issuing password resets in all cases.

Like in the case of the leaked Gmail passwords, it's better to err on the side of caution in such matters, yes? So if you're a Dropbox user like myself, a password change is strongly recommended. Furthermore, if you aren't using two-step authentication on your Dropbox account already, now would be a good time to turn it on (see directions here).

Sources: The Next Web | Lifehacker

Permalink

I don't have dropbox, so yay for me.

Err on the side of caution. Not air.

So, these third party apps, what are they referring to here?

weirdee:
So, these third party apps, what are they referring to here?

Yeah, I'm going to have to mirror this sentiment. (at least, I think that's what you mean? apologies if not.)

How come third-party apps had access to "everyone's" passwords?
It might be applicable in some cases(?), but the notion that sites disclose passwords to others is frightening in itself.

Uhm..Captcha: burger with fries ...really captcha? really? don't parrot everything you hear. ,)

I don't think I've used a third party app pertaining to Dropbox, but I changed mine to be safe. Better to air on the side of caution....

AntiChri5:
Err on the side of caution. Not air.

Whoops!

I'm going to check this leaked archive to see if I even have a Dropbox password, and if so, what it is.

Vendor-Lazarus:
How come third-party apps had access to "everyone's" passwords?
It might be applicable in some cases(?), but the notion that sites disclose passwords to others is frightening in itself.

That's one reason why I hate the those "Login with Facebook" buttons and Google linking gmail accounts with YouTube. If one thing is compromised, anything linked is vulnerable and can topple over like a set of fustrating to replace dominoes. (And considering FB's integrity and desire to know your full name and record your life story, I stay away from that mess altogether.) I don't even trust the email applications on my phone, browser with extreme privacy settings for me.

It's like getting into a small room with someone everyone knows has a serious and contagious disease and taking deep breaths every time they cough. Who's going to do that even if being in the room in some way is convenient yet not necessary?

Hairless Mammoth:

Vendor-Lazarus:
How come third-party apps had access to "everyone's" passwords?
It might be applicable in some cases(?), but the notion that sites disclose passwords to others is frightening in itself.

That's one reason why I hate the those "Login with Facebook" buttons and Google linking gmail accounts with YouTube. If one thing is compromised, anything linked is vulnerable and can topple over like a set of fustrating to replace dominoes. (And considering FB's integrity and desire to know your full name and record your life story, I stay away from that mess altogether.) I don't even trust the email applications on my phone, browser with extreme privacy settings for me.

It's like getting into a small room with someone everyone knows has a serious and contagious disease and taking deep breaths every time they cough. Who's going to do that even if being in the room in some way is convenient yet not necessary?

I know exactly what you mean. I, too, stay away from facebook and other such numerous social sites.
Just seeing my name via the facebook comment-thing on the escapist gives me shivers let alone every other site that have such comments. (when I forget to clear cookies and cache.)
I have a facebook account only to connect with family living 50 miles away and I'm content to let it stay that way.
I was also dragged into the youtube/google thing since I already had an account on either site, just with different names.
I think they nagged at me to decide which up until a month ago actually.

According to dropbox it wasn't hacked. The hack was a rumour.

"Posted by Anton Mityagin on October 13, 2014
Recent news articles claiming that Dropbox was hacked aren't true. Your stuff is safe. The usernames and passwords referenced in these articles were stolen from unrelated services, not Dropbox. Attackers then used these stolen credentials to try to log in to sites across the internet, including Dropbox. We have measures in place to detect suspicious login activity and we automatically reset passwords when it happens."

Thanks, and done.

though I don't know why anyone would want a bunch of memes and dick pics

Double post sorry

And this is why passwords should be hashed and salted

http://www.howtogeek.com/176129/how-not-to-store-passwords/

dont use any thinf party services, so pretty damn safe. i refuse to use any spyware program that wants me to login via account somewhere else. nope, make seperate acount of GTFO.

though would be interested to see the list just in case.

Changed pw - might as well be safe

What the hell is up with all the leaks and hacks these days? Don't people have anything else better to do?

weirdee:
So, these third party apps, what are they referring to here?

Software, probably phone/tablet software that links to services like Dropbox that allow cross platform and combine features from several apps {like social media ones and cloud services) into one single app and security isn't as good as it could be.

It could also be a malware app that people have been happily entering their login details into, sometimes they appear to be doing what they are supposed to and then the app creator "just happens" to "accidentally" and "without realising" sell their service to a dodgy Russian or Far Eastern owner that abuses the information collected.

Paradox SuXcess:
What the hell is up with all the leaks and hacks these days? Don't people have anything else better to do?

Criminals will always be trying to earn their ill gotten gains, whether its a common shoplifter or the more technologically adept ones.

Oh no please, not my poor quality university work.

luvd1:
According to dropbox it wasn't hacked. The hack was a rumour.

"Posted by Anton Mityagin on October 13, 2014
Recent news articles claiming that Dropbox was hacked aren't true. Your stuff is safe. The usernames and passwords referenced in these articles were stolen from unrelated services, not Dropbox. Attackers then used these stolen credentials to try to log in to sites across the internet, including Dropbox. We have measures in place to detect suspicious login activity and we automatically reset passwords when it happens."

So, these are passwords that people happened to be using for both Dropbox and something else, and the hackers specifically picked Dropbox to test them in because that would cause the most panic?

Steve the Pocket:
So, these are passwords that people happened to be using for both Dropbox and something else, and the hackers specifically picked Dropbox to test them in because that would cause the most panic?

Yes, that's how the majority of hacks happen.
Exploiting a vulnerability in shitty forums software and hacking 100's of forums for logins/passwords, then cross-testing them on all the popular websites. Most of it automated of course.

 

Reply to Thread

Log in or Register to Comment
Have an account? Login below:
With Facebook:Login With Facebook
or
Username:  
Password:  
  
Not registered? To sign up for an account with The Escapist:
Register With Facebook
Register With Facebook
or
Register for a free account here