Earlier this week, The Next Web reported a Reddit thread linked to an anonymous Pastebin.com post containing a few hundred Dropbox account passwords, with the promise of a huge cache of 7 million accounts including some leaked content from the accounts, in exchange for Bitcoin donations. Dropbox quickly responded in a statement to The Next Web, advising it had not been hacked and that all Dropbox accounts were completely safe.
Dropbox released a statement advising that it had proper security measures in place to detect all suspicious activity on the account. Dropbox security engineer, Anton Mityagin, believes the usernames and passwords have most likely been stolen from other websites and services, and attackers attempted to take advantage of users that share passwords across multiple accounts. He followed by explaining that their system will automatically reset the account password when detecting suspicious activity.
Not long ago, a similar event happened with Gmail’s 5 million leaked account credentials list, which ended up being information originating from various other accounts and services containing the user’s Gmail account. The list ended up having many dated or incorrect passwords and Google reported only finding 2% of accounts being vulnerable. But, it does not mean that users should ignore the situation completely. Following some basic security precautions is a good idea.
Do Not Share Passwords across Accounts
Rule number 1 is not to share passwords on your important accounts. It should never be done, but at a minimum, keep your sensitive accounts more secure by having a different password for each one. If you have a hard time remembering, possibly consider using a password manager or using a physical notebook carefully hidden away. If you still share some passwords, you should update them every few months to a year, at a minimum.
Enable 2-Step Authentication on Dropbox
More and more sites are now supporting two-step authentication. We highly suggest you upgrade your Dropbox security using two-step authentication yourself. The system works by combining with a piece of hardware you own, such as you mobile phone, to create a security barrier against unauthorized users trying to login to your account.
It seems to very much be the case, that this specific leak was more of a scare hoax, and/or an attempt to quickly profit from Bitcoin donations. Other security analysts have also expressed the lack of need to immediately change account passwords or panic, but it is a good reminder of the importance of better security habits, including having a unique password for your email accounts. If you feel that your Dropbox account may be sharing a password with other important services, it can only be a good idea to reset your password none the less.