Dropbox said Monday that a list of login credentials posted online early this week was not made public as the result of it being targeted by hackers, but rather because hackers stole usernames and passwords from other services and attempted to use those credentials to access Dropbox accounts.
“The usernames and passwords referenced in these articles were stolen from unrelated services, not Dropbox,” said Anton Mityagin of Dropbox’s security team in a blog post. “Attackers then used these stolen credentials to try to log in to sites across the Internet, including Dropbox.”
Hundreds of username and password combinations allegedly belonging to Dropbox users appeared early this week on the website Pastebin, a common dumping ground for hackers to post such information. An accompanying message alleged that 7 million Dropbox accounts were hacked in total, The Next Web reported Monday, and the hacker or hackers were asking for money before posting the rest of the information. However, Dropbox later said that a larger list of usernames and passwords posted online were “not associated with Dropbox accounts.”
Dropbox also said it recently reset passwords on accounts which showed suspicious login activity, a move it said prevented the service from being breached. “We have measures in place to detect suspicious login activity and we automatically reset passwords when it happens,” Mityagin wrote. Dropbox also emailed any affected users and advised them to change their passwords on Dropbox as well as other Internet services.
Hackers often target less secure platforms to steal login information they then use on other websites, as seems to be the case here. That’s why it’s a good idea to use different passwords on different websites as well as activate two-step authentication wherever available.