Millions and millions of Dropbox logins have not been stolen – well, not recently, anyway – the company said on Monday.
A Reddit thread emerged on Monday containing hundreds of Dropbox account usernames and passwords in plain text.
A Pastebin guest also posted documents with about 400 login details that he claimed were a subset of a monster master list of 7,000,000 accounts, promising “more to come” for trusting souls who cough up Bitcoin payments to “keep showing your support”.
Here is another batch of Hacked Dropbox accounts from the massive hack of 7,000,000 accounts
To see plenty more, just search on [redacted] for the term Dropbox hack.
More to come, keep showing your support
Calumny, slander, lies, Dropbox said: all those details were expired, past their sell-by date, yesterday’s fish, pushing up daisies.
In fact, the passwords and usernames had been wiggled out, but not from Dropbox. Rather, they were stolen from third-party services in previous attacks that happened “some time” ago, the company said.
Dropbox told users to change their passwords after detecting suspicious activity and told The Next Web that this all went down months ago.
Here’s the statement form Dropbox:
Dropbox has not been hacked. These usernames and passwords were unfortunately stolen from other services and used in attempts to log in to Dropbox accounts.
We’d previously detected these attacks and the vast majority of the passwords posted have been expired for some time now. All other remaining passwords have been expired as well.
The Register checked the Bitcoin account that had been set up to milk the gullible and found that exactly zero people fell for the ruse, making this an utter #FAIL of a fleecing.
But what about the Reddit users who reportedly tested some of the leaked logins and confirmed that at least some of them work?
Well, just because the passwords were reset doesn’t mean that people didn’t resort to the utterly, depressingly common habit of reusing passwords.
Let’s take a look at some of the passwords that one Reddit user said worked:
Those are not strong passwords. They’re too short and/or use leetspeak to swap characters in a manner that password crackers know all too well and/or seriously?! That’s a well-known American rock band, for crying out loud.
Crooks of course know that internet users often reuse passwords.
They also know that third-party apps, such as the one from which these Dropbox logins were originally stolen, are often written by amateur developers and can have weak security.
They can be, in other words, very easy targets. Third-party services can have the same usernames/passwords as the more-secure apps they’re built around, thus for all purposes they often serve as open windows into an otherwise locked house.
In fact, an attack against a SnapChat third-party service, SnapSaved (which promised to do exactly that: save the supposedly disappearing images before they disappeared), was how hundreds of thousands of SnapChat images wound up bobbing up on the internet last week.
The moral of the Dropbox/and SnapChat story: be careful with those third-party services, and please don’t reuse passwords!
Stick to the rule of one account/one password.
If you can’t remember them all, try using a password manager.
If you do use a password manager, it means you’ll just have to remember one password, so make it long and strong.
Please don’t use the name of your pet or a well-known band – or a well-known anything, for that matter!
Here’s a video which might help you pick a proper password:
(Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like)
2 comments on “Dropbox passwords leaked, third-party services blamed”
I’ve taken it one step further. Every website gets both a unique username & unique password. I purchased my own domain and set up a catch all email account. Every time I create an account online I create a unique username as well. For those annoying sites that demand a email address as the username that’s where the catch all email comes in, you simply create a unique address just for that site. For example site XYZ wants an email as the username, I create xyz@.com or have a password manager/generator create a random eight letter password and use that as the username part of the email. Such as Wx9WM6q3@.com
This works fine until you have to communicate with the site using your catch all email (I am assuming you are setting up aliases not mailboxes for each email address). Sorry if I am wrong.