Nearly 7 million Dropbox usernames and passwords have been hacked, apparently via third-party services that hackers were able to strip the login information from.
The Next Web was the first to notice the leak on a site called Pastebin, where hackers have already leaked about 400 accounts. The hackers promise to release more accounts in return for Bitcoin donations. The hackers claim to have over 6.9 million email addresses and passwords belonging to Dropbox users.
In a statement, Dropbox denied it was hacked:
Dropbox has not been hacked. These usernames and passwords were unfortunately stolen from other services and used in attempts to log in to Dropbox accounts. We’d previously detected these attacks and the vast majority of the passwords posted have been expired for some time now. All other remaining passwords have expired as well.
That means Dropbox has already expired the 400 logins that have been leaked so far. But it’s unclear if the logins of the nearly 7 million other Dropbox users the hackers claim to have are still safe. A Dropbox spokesperson told Business Insider that Dropbox consistently expires passwords for accounts that are being attacked, but could not provide a number of accounts expired recently. That means it’s possible that there are nearly 7 million other Dropbox accounts still vulnerable.
It’s a similar response to the one Snapchat had when hackers were able to obtain about 100,000 photos from the service through a third-party app. Snapchat claimed its servers weren’t hacked, but the servers of a third-party app designed to save Snapchat photos were.
The real problem in both cases appears to be the way popular services allow users to log in. Even though Dropbox’s own servers weren’t hacked, the service still allows third parties access. It’s also possible for hackers to hack other sites and cross reference the login information with services like Dropbox since many people use the same logins for multiples services. Those third parties have become the target for hackers to obtain personal information. Assuming the hackers do have the login information for 7 million Dropbox accounts, it’s unclear how they were able to associate that information from a third-party service and apply it to Dropbox. A Dropbox spokesperson couldn’t elaborate.
This is an alarming trend. Services like Dropbox, Snapchat, and Apple have pushed blame on users and other third parties following recent hacks when it’s clear they’re not doing enough to scrutinize the kinds of apps that have access to their platforms or guarantee users their logins won’t be “expired” of their information is compromised.