If you use Dropbox, then you need to change your password immediately. A thread has surfaced on Reddit that claims that millions of passwords may have been compromised. The thread contains links to files containing hundreds of usernames and passwords for Dropbox accounts in plain text.
In a posting on Pastebin, which will not link to as it contains account data, the user claims that 7 million account user names and passwords have been compromised. To prove that the information is real, 420 user names and passwords have been posted.
In fact, in four Pastebin files linked to from the site, a few hundred username and password pairs were listed in plain text as “teases” for a full leak from an anonymous user, who claim that more username/password pairs will be released if they receive donations to their Bitcoin address. A message annotated at the top of the leaks said:
Here is another batch of Hacked Dropbox accounts from the massive hack of 7,000,000 accounts
To see plenty more, just search on [redacted] for the term Dropbox hack.
More to come, keep showing your support
One user, Michael Armogan, shared the contents of an email he received from Dropbox:
We’re reaching out to let you know about a Selective Sync issue that affected a small number of Dropbox users. Unfortunately, some of your files were deleted when the Dropbox desktop application was shut down or restarted while you were applying Selective Sync settings.
Our team worked hard to restore files that were deleted from your account. You can see which of your files were affected and whether or not we’ve been able to restore them on this personalized web page.
We’re very sorry about what happened. There’s nothing more important to use than making sure your information is safe and always available. Our team has fixed the issue and put additional tests in place to prevent this from happening in the future.
It is important to note here that users in the Reddit thread have already confirmed that some of the credentials in the spreadsheet worked. But, it’s not clear where these credentials actually came from nor how many users were affected.
So far, Dropbox has not acknowledged the issue on its blog, via its Twitter account, or on its Facebook page. As compensation, Dropbox has said that it would offer affected users a free one-year Dropbox Pro subscription.
However, for safety, it’s wise to enable two-step verification and change your password immediately and make a stronger one, even if you don’t appear to be affected.