Dropbox hack denied, but company encourages 2FA use anyway

Dropbox refuted reports that a hacker had obtained 6.9 million customer usernames and passwords from the cloud storage service, but encouraged customers to use its 2FA security feature regardless.

Dropbox has thrown cold water on media reports that claimed the cloud storage service had been hacked, indicating instead that it was another, unnamed service that had been victimized.

Those reports came after an anonymous hacker made several posts on Pastebin.com claiming to have 6.9 million Dropbox account login emails and passwords, and asked for Bitcoin donations with a link to an account. The hacker also posted hundreds of account emails and passwords, many of which were weak with simple, six-character-minimum words or numerical codes.

"As more BTC is donated, more pastebin pastes will appear," one Pastebin post read, though only two transactions for a grand total of 0.0002 Bitcoins had transpired as of press time.

In a Reddit thread about the purported Dropbox hack, several Reddit members claimed that some of the passwords still worked, but on Monday, Dropbox flatly denied that its service was hacked. Instead, the company announced that the stolen credentials were lifted from a different, unnamed service.

"Recent news articles claiming that Dropbox was hacked aren't true. Your stuff is safe," wrote Dropbox's Anton Mityagin in a blog post. "The usernames and passwords referenced in these articles were stolen from unrelated services, not Dropbox. Attackers then used these stolen credentials to try to log in to sites across the internet, including Dropbox. We have measures in place to detect suspicious login activity and we automatically reset passwords when it happens."

Mityagin also stated that Dropbox checked "a subsequent list of usernames and passwords" that had been posted online and confirmed that the credentials are not associated with Dropbox accounts.

Hack or no hack, 2FA is good
Despite refuting the Dropbox hack, Mityagin encouraged customers to enable two-factor authentication (2FA) and to avoid using the same passwords for multiple services.

Dropbox has offered 2FA services since 2012, after a similar security episode earlier that year where usernames and passwords stolen from other services were used to access a small number of Dropbox accounts. One of those accounts belonged to a Dropbox employee, which hackers used to spam user email addresses contained within a company project document.

The lack of two-factor authentication protection has been cited as a major weak point following incidents such as the recent Apple iCloud hack, where hackers were able to crack the passwords of several female celebrities and expose personal pictures and videos stored on the cloud service. After the incident, Apple extended 2FA services for all data stored in iCloud. Previously, the service didn't cover such areas as accessing users' Photo Streams, restoring an iCloud backup to a new device, and making iTunes, App Store and iBookstore purchases from a new device.

Joe Siegrist, CEO of password management vendor LastPass in Fairfax, Va., said users in both the enterprise and consumer spaces should enable 2FA for all online accounts, but noted that adoption has lagged in the consumer space.

"We're seen higher penetration of 2FA in the enterprise space, but we don't see that happening in the consumer space yet," Siegrist said.

In addition to enabling 2FA, Siegrist said users should stop using the same passwords across multiple services and websites, a common practice that puts both consumer and corporate sites at risk.

"If you're using the same password for everything, it only takes one site to be compromised, and then everything is comprised," Siegrist said. "You see announcements from companies all the time after a breach telling people to change their passwords for a site. But what they should really be telling people is to change your passwords for all the different sites you use that particular password for."

Next Steps

Concerned about password management? Learn about the FIDO Alliance's new authentication technology.

Dig Deeper on Cloud Data Storage, Encryption and Data Protection Best Practices

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

2FA should be used with every web application to augment simple username/password authentication. The industry still has a long way to go to implement this, but maybe the breadth of recent hacks will encourage people to practice better security habits. 
The two-factor authentication, though not a silver bullet, could be reliable when it comes with a reliable password. 2 is larger than 1 on paper, but two weak boys in the real world may well be far weaker than a toughened guy. Physical tokens and phones are easily lost, stolen and abused. Then the password would be the last resort. It should be strongly emphasized that a truly reliable 2-factor solution requires the use of the most reliable password. Using a strong password does help a lot even against the attack of cracking the stolen hashed passwords back to the original passwords. The problem is that few of us can firmly remember many such strong passwords.  We cannot run as fast and far as horses however strongly urged we may be. We are not built like horses. At the root of the password headache is the cognitive phenomena called “interference of memory”, by which we cannot firmly remember more than 5 text passwords on average. What worries us is not the password, but the textual password. The textual memory is only a small part of what we remember. We could think of making use of the larger part of our memory that is less subject to interference of memory. More attention could be paid to the efforts of expanding the password system to include images, particularly KNOWN images, as well as conventional texts.