Millions affected by Dropbox breach - but is it a scam?

An anonymous group of hackers claims to have compromised seven million Dropbox accounts, although there is early speculation that this could be a Bitcoin scam or duplicate data coming from an earlier breach.

Millions affected by Dropbox breach - but is it a scam?
Millions affected by Dropbox breach - but is it a scam?

The Next Web newswire first reported that the group posted documents onto the Pastebin website where it boasted that it had accessed accessed 6,937,081 Dropbox accounts, and would release the usernames and passwords of the first 400 in exchange for Bitcoin donations.

Dropbox has since expired these logins but there has since been considerable confusion on internet forums on the source of the hack and the authenticity of the passwords. Reddit users have openly questioned if the credentials are valid, while some Dropbox users have mistakenly claimed that the compromise resulted in the loss of documents, when this was in fact down to an earlier Selective Sync mobile application flaw.

In addition, others have claimed that the cloud storage provider was storing passwords in plain text (Dropbox does store files using AES-256 encryption, but its website makes no mention of hashed and salted passwords).

“Here is another batch of Hacked Dropbox accounts from the massive hack of 7,000,000 accounts,” wrote the purported hackers. “..More to come, keep showing your support.”

Dropbox has denied claims that it had been hacked, suggesting that a third-party was to blame instead - much like Snapchat's response to its own data breach yesterday.

“Dropbox has not been hacked. These usernames and passwords were unfortunately stolen from other services and used in attempts to log in to Dropbox accounts. We'd previously detected these attacks and the vast majority of the passwords posted have been expired for some time now. All other remaining passwords have expired as well.”

In a later blog post entitled ‘Dropbox wasn't hacked', security manager Anton Mityagin said: “Recent news articles claiming that Dropbox was hacked aren't true. Your stuff is safe. The usernames and passwords in these articles were stolen from unrelated services, not Dropbox.

“Attackers then used these stolen credentials to try to log in to sites across the internet, including Dropbox. We have measures in place to detect suspicious login activity and we automatically reset passwords when it happens.”

The piece was updated some hours later to say: "A subsequent list of usernames and passwords has been posted online. We've checked and these are not associated with Dropbox accounts."

The firm is encouraging users to not reuse passwords across different services, and is recommending the use of two-factor authentication.

Andy Kellett, principal security analyst at Ovum, told SCmagazineUK.com that it's hard to tell what happened at this stage.

“It rather looks like one of those wait-and-see situations. The attacker claims that it has been successful in harvesting large volumes of customer information. Dropbox denies that any current credentials have been breached or data stolen and is prepared to stand by its position,” he said.

“Assuming the Dropbox position is correct, it is right to take a strong stance and must continue to do so in order to assure its users that their credentials and property remain safe.

Chris Boyd, malware intelligence analyst at Malwarebytes, believes that the 'breach' could well be a Bitcoin scam, or an attempt to get people using two-factor authentication.

"This was either a novel attempt at scaring people into setting up two factor authentication on accounts which allowed it, or a quick and dirty grab for Bitcoins," he said in an email to SC.

"Given Dropbox claim there's been no compromise and all of the "sample" accounts were already expired, it's looking more like the latter. Anyone can post extravagant claims to Pastebin and while there's no harm in changing a password once word of a potential breach gets out, we shouldn't panic and wait until more concrete information comes to light."

Other industry observers noted to SC that this is new proof that cyber-criminals are taking advantage of consumers with porous security by using longline phishing attacks as their point of entry.

Dropbox has around 220 million users – making this breach affect roughly three percent of all account holders – and is also facing continued criticism this week from NSA whistleblower Edward Snowden, who took aim at the cloud provider's attitude to privacy.

In an interview with The New Yorker magazine, he advised internet users to “get rid” of Dropbox, suggesting that it provided encryption keys to governments – instead recommending encrypted solutions like SpiderOak.

“We're talking about dropping programs that are hostile to privacy,” Snowden said, before adding that this also applies to Facebook and Google.

In 2012, Dropbox found that usernames and passwords were stolen from other websites to login a “small number” of Dropbox accounts and embarrassment came a year earlier after it inadvertently published code on its website allowing people to sign into Dropbox accounts without credentials.