Hackers are threatening a major breach in Dropbox security, claiming to have stolen the login details of almost 7 million users, and promising to release more password details if they're paid a Bitcoin ransom.
However, Dropbox has denied it has been hacked, saying the passwords were stolen from third-party services.
An entry on Pastebin, posted on October 13 at 4:10 p.m. CDT, shows a list of 400 emails and matching plain text passwords, claimed to be part of a large-scale Dropbox hack.
The login details for the 400 email addresses, each one starting with the letter B, have been labelled as a "first teaser...just to get things going". The perpetrators are also promising to release more details if they're paid for the information.
More Bitcoin = more accounts published on Pastebin. As more BTC is donated, More pastebin pastes will appear.
It is unclear how the account details were accessed and, indeed, whether or not they are actually legitimate. However, the hackers claim to have accessed details from 6,937,081 individual accounts and are threatening to release photos, videos and other files.
However, a Dropbox spokesperson has denied the hack:
Dropbox has not been hacked. These usernames and passwords were unfortunately stolen from other services and used in attempts to log in to Dropbox accounts. We'd previously detected these attacks and the vast majority of the passwords posted have been expired for some time now. All other remaining passwords have been expired as well.
Despite this, The Next Web reports that Dropbox has forced a password reset for the accounts listed in the Pastebin post.
Regardless of the veracity of the hackers' claims, it is probably worthwhile changing your password until the full scope of the problem becomes clear. As an added security measure, Dropbox also offers two-factor authentication which can be easily accessed on the security settings page, and completed in a couple of minutes.
If one thing can be learnt from the alleged breach, it's that passwords should consist of more than two letters, and should probably not contain your own name.
Update, 4:55 p.m. AEST: Dropbox has issued a statement on its blog further clarifying that the Dropbox passwords were stolen from "unrelated services":
The usernames and passwords...were stolen from unrelated services, not Dropbox. Attackers then used these stolen credentials to try to log in to sites across the internet, including Dropbox. We have measures in place that detect suspicious login activity and we automatically reset passwords when it happens.
Update, October 15 at 4:20 p.m. AEST: Dropbox has updated its most recent statement, acknowledging the release of more passwords but denying their validity:
A subsequent list of usernames and passwords has been posted online. We've checked and these are not associated with Dropbox accounts.
CNET has sought further comment from Dropbox, including which "unrelated services" the login credentials were taken from.