Dropbox passwords held to ransom after third-party leak

Hackers claim to have stolen the login details of almost seven million Dropbox users. Having released a teaser file on Pastebin with details of around 400 accounts they’re offering to release more in exchange for a Bitcoin ransom.

Like the Snapchat photo leak it seems that this information has come from insecure third-party services rather than from Dropbox itself.

In a post on the Dropbox blog the company's Anton Mityagin says, "Recent news articles claiming that Dropbox was hacked aren't true. Your stuff is safe. The usernames and passwords referenced in these articles were stolen from unrelated services, not Dropbox. Attackers then used these stolen credentials to try to log in to sites across the internet, including Dropbox. We have measures in place to detect suspicious login activity and we automatically reset passwords when it happens".

A later list of passwords posted yesterday are, says Dropbox, not associated with its services. It appears that the breach doesn't stem from services using the service’s API -- as with Snapchat -- but from simple poor user practice in reusing passwords across multiple sites. Once again a third-party is the weak link here though there's a new twist in the form of the hackers trying to make a quick profit from the information via Bitcoin.

It's not currently clear which site or service is the source of the breach, which potentially means that other services are at risk too. Dropbox says the initially posted batch of 400 credentials have now been reset. It also recommends that users enable two-factor authentication on their accounts to add an extra layer of protection.

This is the second bad news for Dropbox this week after it confirmed the existence of a bug that was deleting user files.

Image Credit: alexmillos / Shutterstock