The popular Dropbox cloud file storage service is denying allegations that it was hacked, as an anonymous source leaked information Dropbox account holders.
The anonymous allegation against Dropbox was publicly posted on Pastebin and claims that 6,937,081 Dropbox accounts were hacked, though initially only 400 Dropbox accounts were publicly posted. The anonymous Pastebin poster has requested Bitcoin donations to release more Dropbox user information.
For its part, Dropbox is refuting the claim that it was hacked and has stated that its users’ content is safe.
“The usernames and passwords referenced in these articles were stolen from unrelated services, not Dropbox,” the company wrote in a blog post. “Attackers then used these stolen credentials to try to log in to sites across the internet, including Dropbox.”
Dropbox added that it has policies in place to help detect suspicious login activity to help protect users. When suspicious logins occur, Dropbox can reset the user’s password. Additionally, Dropbox suggests that users employ two-factor verification to provide an additional layer of protection to their accounts. With two-factor verification, the username and password is supplemented by a second factor (or password) that is generated via a mobile text message to the user’s phone.
Dropbox isn’t the only online service whose users have been victimized by accounts stolen from third-party services and sites.
In September, hackers claimed to have obtained information on 5 million Google account holders. At the time, Google denied it had been breached directly and stated, like Dropbox, that the information came from another hacked source. Although Google itself was not breached, the tech giant had to reset the passwords for 100,000 users. There was also collateral damage from the Google account leak that spread to popular online blogging platform WordPress, which also had to reset 100,000 user accounts.
The root cause of the Google leak and the new Dropbox account disclosure are not publicly known, but we do know that username/password reuse is a significant threat to Internet security.
When users employ the same username and password combination on more than one site, the risk of any one single data breach is compounded. Once again, the need for users to deploy two-factor authentication is crucial.
By employing unique username/password combinations and leveraging two-factor authentication tools, the risks of account disclosures and hacks can be minimized.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.