Dropbox says it was not breached, leaks came from third-party app service.
A post on the r/SysAdmin subreddit links to a Pastebin post, which reportedly contains the emails and passwords of 400 users. What's worse is the preamble in the Pastebin post, which reads:
***** DROPBOX HACKED *****
6,937,081 DROPBOX ACCOUNTS HACKED
PHOTOS - VIDEOS - OTHER FILES
MORE BITCOIN = MORE ACCOUNTS PUBLISHED ON PASTEBIN
As more BTC is donated , More pastebin pastes will appear
To find them, simply search for [redacted] and you
will see any additional pastes as they are published.
Nearly seven million Dropbox accounts are being threatened, although Dropbox is denying the scope of the security compromise. "Dropbox has not been hacked," said the company in a statement to the press. "These usernames and passwords were unfortunately stolen from [third-party] services and used in attempts to log in to Dropbox accounts."
Dropbox confirmed that it had reached out to the several hundred affected users, issuing password resets in all cases.
Like in the case of the leaked Gmail passwords, it's better to err on the side of caution in such matters, yes? So if you're a Dropbox user like myself, a password change is strongly recommended. Furthermore, if you aren't using two-step authentication on your Dropbox account already, now would be a good time to turn it on (see directions here).