Dropbox has thrown cold water on media reports that claimed the cloud storage service had been hacked, indicating instead that it was another, unnamed service that had been victimized.
Those reports came after an anonymous hacker made several posts on Pastebin.com claiming to have 6.9 million Dropbox account login emails and passwords, and asked for Bitcoin donations with a link to an account. The hacker also posted hundreds of account emails and passwords, many of which were weak with simple, six-character-minimum words or numerical codes.
"As more BTC is donated, more pastebin pastes will appear," one Pastebin post read, though only two transactions for a grand total of 0.0002 Bitcoins had transpired as of press time.
In a Reddit thread about the purported Dropbox hack, several Reddit members claimed that some of the passwords still worked, but on Monday, Dropbox flatly denied that its service was hacked. Instead, the company announced that the stolen credentials were lifted from a different, unnamed service.
"Recent news articles claiming that Dropbox was hacked aren't true. Your stuff is safe," wrote Dropbox's Anton Mityagin in a blog post. "The usernames and passwords referenced in these articles were stolen from unrelated services, not Dropbox. Attackers then used these stolen credentials to try to log in to sites across the internet, including Dropbox. We have measures in place to detect suspicious login activity and we automatically reset passwords when it happens."
Mityagin also stated that Dropbox checked "a subsequent list of usernames and passwords" that had been posted online and confirmed that the credentials are not associated with Dropbox accounts.
Hack or no hack, 2FA is good
Despite refuting the Dropbox hack, Mityagin encouraged customers to enable two-factor authentication (2FA) and to avoid using the same passwords for multiple services.
Dropbox has offered 2FA services since 2012, after a similar security episode earlier that year where usernames and passwords stolen from other services were used to access a small number of Dropbox accounts. One of those accounts belonged to a Dropbox employee, which hackers used to spam user email addresses contained within a company project document.
The lack of two-factor authentication protection has been cited as a major weak point following incidents such as the recent Apple iCloud hack, where hackers were able to crack the passwords of several female celebrities and expose personal pictures and videos stored on the cloud service. After the incident, Apple extended 2FA services for all data stored in iCloud. Previously, the service didn't cover such areas as accessing users' Photo Streams, restoring an iCloud backup to a new device, and making iTunes, App Store and iBookstore purchases from a new device.
Joe Siegrist, CEO of password management vendor LastPass in Fairfax, Va., said users in both the enterprise and consumer spaces should enable 2FA for all online accounts, but noted that adoption has lagged in the consumer space.
"We're seen higher penetration of 2FA in the enterprise space, but we don't see that happening in the consumer space yet," Siegrist said.
In addition to enabling 2FA, Siegrist said users should stop using the same passwords across multiple services and websites, a common practice that puts both consumer and corporate sites at risk.
"If you're using the same password for everything, it only takes one site to be compromised, and then everything is comprised," Siegrist said. "You see announcements from companies all the time after a breach telling people to change their passwords for a site. But what they should really be telling people is to change your passwords for all the different sites you use that particular password for."
Concerned about password management? Learn about the FIDO Alliance's new authentication technology.