If you use Dropbox, you need to change your password immediately; by all indications, there has been a breach in account security. In a leak on Pastebin (which we won't link, as it contains sensitive account information), the user claims to have the usernames and passwords of nearly 7 million Dropbox users. To prove that the information is real, 420 usernames and passwords have been posted.
Dropbox has taken quick action as well, and is now forcing everyone affected by the leak to change their password. If you attempt to use any of the combinations, it will tell you that your password has expired.
Neowin can confirm that some of the accounts were real and that this appears to be a legitimate breach in security, as we have seen evidence of some of the account credentials leaked authenticate to Dropbox’s servers.
Dropbox has said that it was not their service that was compromised but third-party services that exposed the credentials. The following statement, given to TNW, is posted below:
Dropbox has not been hacked. These usernames and passwords were unfortunately stolen from other services and used in attempts to log in to Dropbox accounts. We’d previously detected these attacks and the vast majority of the passwords posted have been expired for some time now. All other remaining passwords have been expired as well.
What's odd about this statement is that if the attack was previously known, why did some of the credentials still authenticate that were part of the dump to Pastebin? You would think that they would have been able to protect all of the accounts before the dump occurred, but at this time we have to take their word for it.
While Dropbox has taken quick action, we know that many users have the same passwords on multiple sites. Because of this, it is best to keep all of your passwords site-specific so that if there is a breach, you do not have to change your password on every site. Furthermore, it is best to enable two-factor authentication on every site that has this feature.
It goes without saying that this will hurt Dropbox's reputation, but it will also affect the entire industry too, as some users are already nervous about giving other companies the ability to store their content.
This is the third time that Dropbox has been in the news this week with a headline it likely wishes it could bury. Earlier this week we reported that there was a bug with the service that could permanently delete a file, and Edward Snowden said you should not use the platform as well.
Update: Dropbox has once again stated that their service has not been hacked but rather the list of credentials leaked came from a different service. And people are now trying to exploit that list by logging into different website where users re-used their passwords.
What this means is that users who re-use their passwords are still at risk, though Dropbox says it's keeping an eye out for suspicious activity. And obviously the best policy here is that users don't use the same password twice, and enable 2-factor authentication on all services that support it.