Dropbox passwords leaked, third-party services blamed

Dropbox logo

Dropbox logoMillions and millions of Dropbox logins have not been stolen – well, not recently, anyway – the company said on Monday.

A Reddit thread emerged on Monday containing hundreds of Dropbox account usernames and passwords in plain text.

A Pastebin guest also posted documents with about 400 login details that he claimed were a subset of a monster master list of 7,000,000 accounts, promising “more to come” for trusting souls who cough up Bitcoin payments to “keep showing your support”.

Here is another batch of Hacked Dropbox accounts from the massive hack of 7,000,000 accounts

To see plenty more, just search on [redacted] for the term Dropbox hack.

More to come, keep showing your support

Calumny, slander, lies, Dropbox said: all those details were expired, past their sell-by date, yesterday’s fish, pushing up daisies.

In fact, the passwords and usernames had been wiggled out, but not from Dropbox. Rather, they were stolen from third-party services in previous attacks that happened “some time” ago, the company said.

Dropbox told users to change their passwords after detecting suspicious activity and told The Next Web that this all went down months ago.

Here’s the statement form Dropbox:

Dropbox has not been hacked. These usernames and passwords were unfortunately stolen from other services and used in attempts to log in to Dropbox accounts.

We’d previously detected these attacks and the vast majority of the passwords posted have been expired for some time now. All other remaining passwords have been expired as well.

The Register checked the Bitcoin account that had been set up to milk the gullible and found that exactly zero people fell for the ruse, making this an utter #FAIL of a fleecing.

But what about the Reddit users who reportedly tested some of the leaked logins and confirmed that at least some of them work?

Well, just because the passwords were reset doesn’t mean that people didn’t resort to the utterly, depressingly common habit of reusing passwords.

Let’s take a look at some of the passwords that one Reddit user said worked:




Those are not strong passwords. They’re too short and/or use leetspeak to swap characters in a manner that password crackers know all too well and/or seriously?! That’s a well-known American rock band, for crying out loud.

Crooks of course know that internet users often reuse passwords.

They also know that third-party apps, such as the one from which these Dropbox logins were originally stolen, are often written by amateur developers and can have weak security.

They can be, in other words, very easy targets. Third-party services can have the same usernames/passwords as the more-secure apps they’re built around, thus for all purposes they often serve as open windows into an otherwise locked house.

In fact, an attack against a SnapChat third-party service, SnapSaved (which promised to do exactly that: save the supposedly disappearing images before they disappeared), was how hundreds of thousands of SnapChat images wound up bobbing up on the internet last week.

The moral of the Dropbox/and SnapChat story: be careful with those third-party services, and please don’t reuse passwords!

Stick to the rule of one account/one password.

If you can’t remember them all, try using a password manager.

If you do use a password manager, it means you’ll just have to remember one password, so make it long and strong.

Please don’t use the name of your pet or a well-known band – or a well-known anything, for that matter!

Here’s a video which might help you pick a proper password:

(Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like)