Hundreds of Dropbox accounts compromised via third party service; change your password now

Earlier today, a thread surfaced on Reddit offering up 400 Dropbox usernames and passwords in plain text, with a note that over seven million accounts have been compromised in total. Dropbox has since announced on its blog that it wasn't hacked, and that the leaked passwords were stolen from a third party service.

Dropbox has not been hacked. These usernames and passwords were unfortunately stolen from other services and used in attempts to log in to Dropbox accounts. We'd previously detected these attacks and the vast majority of the passwords posted have been expired for some time now. All other remaining passwords have been expired as well.

The leak that was posted on Reddit contained hundreds of accounts with email addresses beginning with the letter "b". Dropbox is sending out password reset instructions to affected users, but as a precaution, it is advised that all users change their passwords on the service. While you're at it, go ahead and enable two-factor authentication as an added layer of security.

If today's news seems eerily familiar, it is because Snapchat suffered a similar hack earlier this month.

Were you one of the users affected by the hack? Let us know if you were able to successfully change your password.

Source: Dropbox

Harish Jonnalagadda

The clumsiest man in tech.

  • Another service that I will have to drop. Posted via the iMore App for Android
  • Pun intended?
  • Ha, no. But it is funny. Posted via the iMore App for Android
  • Why would you have to drop them? I don't think they've DROPped the ball in any way here.
  • You'll soon run out of services to use. Bet you still use ICloud though ;)
  • I use OneDrive. Even then, once Microsoft does something else I don't like, I drop them too. If Google does something else, I'll drop them next. Then I will have to use a Blackberry. Posted via the iMore App for Android
  • How much more does Google have to do to warrant being dropped? For me, they reached that threshold a long time ago.
  • They are transparent about everything, and it is up to consumers to read TOS and pay attention to settings and what they share and what is public. For now I just don't like Google Plus. Posted via the iMore App for Android
  • yep i've always known what google does plus all i have is a bunch of gmail accounts, google play and an unconnected to any other account youtube account. No google plus no other google services. Oh and an old picassa account i don't care about cause nothing's in it. But i'm not paranoid about gmail because i already know they are scanning emails and targeting adds and i know they aren't selling emails. PLus they get enough money that they don't need to be shady with email
  • i try my best to not put anything that could hurt me in these services. They aren't secure enough and they are always giving information to other parties. Icloud i only use for like podcast backups and contacts. But not my financial apps. One drive is my mains online storage and it's mostly a backup of papers i wrote, study guides for college, and photos. And there's nothing bad or embarrassing in that stuff. Also none of my documents have a social sec number on them. Now i'm sure they could find something with an old address but they'd have to do some work at it.
  • Personal Cloud with an external hard drive great. Safe, too. I use a nonsense sentence for my password. Odds of both failing at the same time are slim. Posted via the Android iMore App!
  • Drop what box ?? LoL
    Good for me, closed my account with them long time ago. Sent from the iMore App
  • Clearly it's the third party's security to blame!
  • Trouble is, everything this happens, "it" will change. We cannot use dropbox, or box at work due to security problems so they say. All services are at some form of risk. Too many back doors, and holes in programs. Sent from the iMore App
  • That would be every time. Sent from the iMore App
  • Every time, sorry. Need coffee. Sent from the iMore App
  • I have two-factor authentication enabled with SMS. Doubt someone will be able to access my account. But this made me move my remaining files from DropBox over to OneDrive. It was hard to resist the offer - 1TB for $2.50
  • I dropped dropbox when Condoleezza Rice was signed to the board of directors.
  • I just enabled two step authentication... for some reason I thought I already had it enabled but clearly I didn't :/ .... may switch back to Onedrive but i remember it preforming so poorly on my mac when I previously downloaded it....
  • Still haven't seen anywhere mentioned as to what third party service it was...
  • I haven't personally linked into the Dropbox API but it seems to me that whichever service leaked these did a horrible job with integrating with Dropbox. They should be using tokenized authentication to avoid storing Dropbox user passwords in their database. Yup...just looked at their Developer API site. A pretty prominent Best Practices link states the following at the top: User authorization Never handle user login and password information. All application authentication should be completed using the OAuth. Each offical SDK has an approved implementation of OAuth and you should use one of these in your app if possible.
  • Not a good week for Dropbox. First a bunch of files get deleted and now this.
  • I had dropbox early, still have the account, but One Drive has been my go to. My dropbox has never gotten above 4GBs free for me (though i haven't kept up with it) My One drive has 40GBs of free storage.