Hundreds of Dropbox accounts compromised via third party service; change your password now

Earlier today, a thread surfaced on Reddit offering up 400 Dropbox usernames and passwords in plain text, with a note that over seven million accounts have been compromised in total. Dropbox has since announced on its blog that it wasn't hacked, and that the leaked passwords were stolen from a third party service.
Dropbox has not been hacked. These usernames and passwords were unfortunately stolen from other services and used in attempts to log in to Dropbox accounts. We'd previously detected these attacks and the vast majority of the passwords posted have been expired for some time now. All other remaining passwords have been expired as well.
The leak that was posted on Reddit contained hundreds of accounts with email addresses beginning with the letter "b". Dropbox is sending out password reset instructions to affected users, but as a precaution, it is advised that all users change their passwords on the service. While you're at it, go ahead and enable two-factor authentication as an added layer of security.
Were you one of the users affected by the hack? Let us know if you were able to successfully change your password.
Source: Dropbox
Windows Central Newsletter
Get the best of Windows Central in your inbox, every day!
Harish Jonnalagadda is a Senior Editor overseeing Asia for Android Central, Windows Central's sister site. When not reviewing phones, he's testing PC hardware, including video cards, motherboards, gaming accessories, and keyboards.
-
Don't change your passwords.. Just switch to OneDrive..
-
I tried dropbox and it's nothing compares to OneDrive as it is now. I uninstalled instantly
-
Lol
-
Love how we hear about this shit way after the fact. In addition, banks, Target, Chase, and other organizations don't say anything until a third party (other than the hacker) unleashes the truth. Oh so fucking helpful.
-
I know! They should tell us before it happens.
-
Or if it happens in April, tell us in April and not in October.
-
Lmao
-
This should probably bring more people to OneDrive. Microsoft should start some form of customer attraction advertisement NOW!
-
Best just push the advertisement but keep it professional, if they do one of those siri vs cortana ads again they would look even worse if they happen to get hacked or compromised.
-
Dropbox still have a better sync client. Shared folders LAN sync Selective sync for Windows 8.1
-
Totally, and those are the lesser features.
-
Selective sync also on OneDrive... But the shared folder are better on dropbox, I agree
-
"Selective sync for Windows 8.1" How do I have selective sync? I have offline and online options. The files are still here with the online option and you can see the images as thumbnails. With selective sync I would not have them here at all.
-
I mean that, I prefer this because I can still se my files but they do not use my hdd space (I find this very helpful on my tablet)
-
Why are you asking yourself a question?
-
Except for one big difference... when you share something on Dropbox, that folder counts against the recipient's storage quota. On OneDrive, it doesn't... I could share a terabyte of data with you on OneDrive, even if you only have the free 15GB account. I get really annoyed when people share big files with me on Dropbox because it pushes me over my quota, and I have to either delete something or pay to upgrade my storage. Very annoying.
-
Yeah this is a pro! But if I want phisically that two folder will sinchronize on HDD within two accounts, it is still not possible. I mean that I've to see shared files via browser, this can be annoying in some cases.
-
You can use something like Cubby, or SugarSync, or a very good free option, BitTorrent Sync to handle that. Dropbox isn't the only software that will synchronize data between computers.
-
I agree, I use Yandex Disk
-
Or you can just use OneDrive and not have to use all these other software and make it more complicated than it needs to be...
-
But if someone want to share a 20 MB project folder that needs to be opened in a special program (not Office) OneDrive is completely useless. No more sync, only download and upload files after changes.
-
Mostly true, but I've never gotten that to work with Dropbox either. I can update files in a shared folder, but they never get uploaded to the original sender's folder. It hasn't ever worked for me.
-
Each case has its cloud service! :D
-
Of course they do, automatically. Unless they've left the folder or turned off sync locally.
-
I know it is supposed to, but it has never worked for me. Not once.
-
Yep, this is one major reason that I refuse to accept Dropbox shares.
-
Except for the exponential quota usage. Eg, if I share a folder with two friends, then upload a 5GB file, it takes up 5GB of each of my friends' quotas too (15GB total). That's just stupid.
-
I don't give a crap. As long as there is no official client on Windows Phone, I won't be their customer. Also with the File Loss Drama they had some days ago, I don't think I would ever want to use Dropbox tbh. OneDrive serves my needs more then enough.
-
Backup, backup, backup! Synchronising is not backup. You should always keep a backup of important files and any files you want to be sure to have. I would recommend CrashPlan, free to save backups on your own PC's, external storage and friends PC's.
-
I keep backups on both external HD's, USB sticks, and OneDrive. If even one source of my backups is unreliable, I'm not happy. I don't sync in the usual sense. I simply upload the specific files I want to keep.
-
One medicine for various prob!
-
Already moved all my files to onedrive! Hooray!
-
Only n only Onedrive... Hope nthng happens to OneDrive.... I have good collection of private pics there :p
-
Nude?
-
It cant be nude. Microsoft scans all of your uploads and removes nude things. That would be the only reason to use dropbox, they dont care what you store.
-
No they don't! They only remove things like that relating to children. Microsoft only care about nude adults if the pictures are in a shared folder.
-
Lol ooook. I'm sure I'd have FBI knocking at my door with the collection of movies I have on OneDrive I'd that be true.
-
It's all good until it's not.
-
+
-
@PolishHitta, You sir, sound nasty and bestial. Go away. Now. Eat some kielbasa and lay down in a hole and ask anyone to fill it with rocks and water.
-
@Peg Leg and you sir are stereotypic and racist piece of garbage. Why don't you fall off a cliff cause no one needs your kind to exist. EDIT: Besides I'm talking about pirated movies, someone with a peg leg should know that...
-
Lol
-
Total lie.
-
Microsoft doesn't scan anything.... well they do, but they don't do it the way you think, have you ever used OneDrive? I have tested in YEARS uploading any type of photo and nothing has happened. actually Microsoft doesn't care what I store, I have from illegal negeo rom games to private photos and even a korean movie, it's Cyrano Agency if you ever want to watch it, it's good!! but it would be illegal but I have share it, and I think the link it's still there in the asian site I shred it, also I have music, yeah music. illegal stuff. so what are you saying now? have you ever been blocked from using OneDrive or you are just talking random stories you heard on Internet? Even people saying Microsoft only cares until you share files, it's not enterely true... I have clicked on shared, even to public and nothing has been blocked in my account. I stopped caring what I upload, I just upload and in years nothing has happened. I don't even delete files anymore. maybe i am lucky? I don't care, it works for me, and the sharing features work for me, and OneDrive while not perfect, it works for me. But honestly, the only stories I have heard about "I was blocked" it's when there was CHILD nudity, becuase the machine Microsoft uses won't say "oh it's his son/daughter, so don't worry about this", actually, I would find it disturbing people uploading that kind of private photos in OneDrive anyway and click the share button, why would a parent share those kind of photos anyway? so No, Microsoft doesn't care either. so I don't understand why you say DropBox is better unless you have never really used OneDrive to upload more than 3 files.
-
Porno?
-
Time to hack onedrive. You will be my first victim. Muahhahahhahaha. (just joking)
-
I never save private pics on OneDrive. I share all the rest. I don't know why people do show, especially celebrities...
-
Celebrities are so used to CAMERAS, that they want to record private stuff and archive it. Then maybe in future they can look back and celebrate saying "NOT BAD".. I did good stuff in my life.
-
Are you a celebrity?
-
Moral of the story kids, don't upload/share/store anything in the cloud that you'll be embarrassed to let you mum see. :D
-
Kim Kardashian's mom was ok with her daughter's sex tape
-
Because Kim is bankrolling her mom and alien looking father.
-
When will people realize that Microsoft is the best at security. You guys need to switch to OneDrive, you get 15gb free.
-
It's up to 30GB now, actually. ^_^
-
You can get up to... If...
-
The default is still 15 GB free and the blog said the 15 GB camera roll promotion would last untill the end of September. The OneDrive plans site only says you can earn 8 GB extra. "Earn extra storage +3GBEarn an extra 3GB of storage when you back up your camera roll. +5GBRefer a friend to OneDrive and both of you will receive +500MB. Refer up to 10 friends for a maximum of 5GB." https://onedrive.live.com/about/en-us/plans/
-
Somehow I happened across 100gb. Oh yes, it was a Bing promotion. After accepting the offer, OneDrive prices fell dramatically and is /was cheaper than FuckyouOverBox. Admittedly, there are some nice features on FuckyouOverBox, but it is nothing MS cannot fix.
-
Is Dropbox security so easy to pass? And why suddenly everyone is so interested in Dropbox?
-
Dropbox was not hacked and they offer two-factor verification, sounds secure.
-
Onedrive (microsoft account) supports two factor auth
-
They both do and I have it enabled on both. For other sites https://twofactorauth.org/ is a good site to see who supports what. So do the two-step! https://www.youtube.com/watch?v=vC8qbff_U4o
-
Except that they've been hacked so many times before. This is like the 6th time a password database has gotten out. Maybe not their fault this time, but it was the other times.
-
Use factor authentification! "What About Passwords? Passwords aren’t the best way to secure your accounts. Passwords have been stolen in large-scale data breaches, placing millions of people at risk of identity, data or financial theft. And people don’t always follow the best practices when it comes to passwords, like having a separate password for each account and making passwords long, strong and unique. And sometimes, people don't choose strong passwords - so cybercriminals can guess them and gain access to their online accounts. If that password is reused, the bad guys have access to all of your accounts. Many people aren't protecting themselves online and don't always follow the best practices when it comes to passwords, like having a separate password for each account and making passwords long, strong, and unique. Some of the most popular passwords are "password1" or "123456. The Solution Online services like email, social networks and banking make it especially important to secure your accounts. Luckily, many of these sensitive online services give you the tools to protect yourself and your information online. Email providers and financial services to social networks and blogging platforms are implementing new security features that can help their users add another layer of security to their accounts. These technologies are often referred to as two-step authentication, login approvals, multi-factor authentication, etc. because they add a new layer of protection by adding a second element - in addition to a password - to protect your account. These methods provide an extra layer of security. Most people only have one layer to protect their account. But combining something you know (your password) with something you have (your phone, a token, fob, etc.) makes your account even more secure by requiring the second element to log in. Simply put, two-step authentication makes sure it's really logging in, not just someone who has your password." http://stopthinkconnect.org/campaigns/details/?id=460
-
Two-factor is a great thing. But at the same time should anyone be using a site that takes security so flippantly? Yes, they added two-factor, but they make so many other mistakes. Even if it turns out to be true that a third party service is where the password leaks came from, that is still a problem. The third party API used by Dropbox should NEVER require a username/password. It's just too dangerous. The right way to do third party integration is the use of tokens. When a site needs access to Dropbox, it should send the user over to Dropbox's site to validate their login (username, password, two-factor) and then issue a token back to the original site. Dropbox keeps a copy of that token (or, more ideally, a hash (mathematical representation) of that token). When the site needs access to Dropbox data, it sends the token over, Dropbox verifies that it is correct, and knows whose account the token belongs to, and then performs the requested action. The original site doesn't have to know the user's username, email address, or password to make this work. And, better yet, if the site's token database is leaked, all Dropbox has to do is cancel the tokens issue to that site. No changing of usernames and passwords is required, because the site never had them in the first place. It's things like this that make it pretty clear that Dropbox's programmers don't understand security. They've had way too many problems in the past. History keeps repeating itself. And worse, they've never exactly been forthcoming about any of the breaches either. Just a few examples of their security issues: (1) after the site became popular it was discovered that Dropbox wasn't encrypting data in transit -- it was in plaintext that anyone along the way could view... (2) after they started encrypting data in transit, it came out that they store data unencrypted on their servers, (3) employees at Dropbox have access to user data because it isn't encrypted, (4) credentials of at least one Dropbox employee were leaked, and used to download the usernames and passwords of most of their users, (5) after Dropbox finally added two-factor authentication, hackers figured out how to completely bypass it. And now this... they obviously aren't using random, per-site tokens to protect user accounts. It's pretty clear that they don't know what they're doing. Or don't care until they get caught. Either way, they're a site that we probably shouldn't be dealing with. It's only a matter of time until the next big problem.
-
Thank God iam using ONE DRIVE
-
What is this ONE DRIVE you speak of? I prefer OneDrive. Anyway, it's best to enable two step verification for OneDrive and/or Dropbox.
-
How can i turn off 2 step verification
-
Try : https://account.live.com/proofs/Manage
-
Android #hackgate
-
I think Dropbox is going to lose many users
-
Why? Is it because the leaked passwords were stolen from a third party?
-
Yes, and some hours ago some people lost their data. But if you like to lose data so use Dropbox. #OneDrive FTW
-
Better switch to OneDrive
-
One drive!
-
OneDrive!
-
OneDrive all the way!
-
It's plain simple: DO NOT store private pics and documents or videos on the cloud (any cloud), just do it old fashion way: Either burn them on a disc and stash it in you archive or put them on an USB stick and again stash it in your archive...... pure, simple, secured! But when it comes to clouds for anything else, Drive to the OneDrive only! :)
-
The only private pics I have are **** IYKWIM! :3 lulz
-
we do, lol :)
-
Exactly. Never store private pics in the cloud.
Put only important business stuff there! -
Or you can do the two-step https://www.youtube.com/watch?v=vC8qbff_U4o Also, you can encrypte your files.
-
Boris has the best solution. Stop being lazy.
-
Thank you :)
-
lol i use onedrive
-
lol, i use pendrive.
-
Nothing is 100% secure. There's always a weakness in the system. The best you can hope for is that the end user is the weakest in the chain, but that is largely a pretty significant weakness. Ultimately, if you want something kept safe, don't put it onto the internet!
-
we know thar nothing is 100% safe. but the fact is the companys effort to make their products safe. Microsoft and apple have proven wit their efforts.
-
Apple? They added two step verification and left things out (so not all features was covered) and the celebrity leak was possible.
-
But this could easily happen to OneDrive, it was via a 3rd party app that had the DropBox credentials, not DropBox itself. People assume a false sense of security, its the same as all those Apple users claiming that Macs don't get viruses.
-
A properly designed third party system shouldn't ever have passwords. The sharing should be done with revokable tokens. No service should EVER store passwords. Ever. There is no good reason to do so.
-
+1520 (the Big Red One)
-
Always assume 3rd party apps store everything.
-
what would google say about this. ' try switching to google drive we will check your accounts regularly and protect it.' lol
-
Google gets talked about here more than they do at Android Central. It's crazy.
-
yeah bcoz we know their stupid business correctly.
-
You sir, made an award winning comical post. Well done chap.
-
thank you
-
shit, my email started with b!
-
Mine too. Fortunately, I shifted everything to OneDrive and cancelled fuckyouoverbox several months ago.
-
One drive.. Rules
-
"Your stuff, everywhere."
-
EVERYwhere... ;-)
-
Lol
-
OneDrive all the way.
-
Ha!
-
iCloud, dropbox, who is next ??
-
Dropbox has been hacked since records began. That's why at work we never allow access to such file sharing services. iCloud isn't a file sharing service so there's no excuse for such a large company to be hacked.
-
Hey. Who cares about about missing files and credential leakages?
You get one year "Pro" for free. -
Hooray! Now, not only can I get my files deleted, but I can have them PROFESSIONALLY deleted!
-
Lol
-
Yet their own T&C say your data is backed up and is safe. Lol
-
Yay the cloud
-
Long live OneDrive!!! Haha
-
I don't care. OneDrive, sir.
-
400? Lol no bid deal...
-
What are you bidding for? ;)
-
Some pride
-
http://www.change.org/en-CA/petitions/governments-of-the-world-punish-mo...
-
Got my vote
-
If they want to see all my nude uploads more power to 'em
-
With a moniker like yours (phatman xxl) they would need superpowers, lol...just playing
-
First iCloud, now Dropbox. I smell a conspiracy.
-
Not conspiracy you smell, just fish & chips late night dinner,, lol
-
Lol.
-
I smell a long known weakness in online security, that's why we have two step authentication. Also, that's why October is National Cyber Security Awareness Month in the US and EU.
-
Brian, you must have an excellent sense of smell. Seriously, you seem to have half a clue and care, can you do something like offer an opinion in the paper, online version, etc? Seriously, I'm not being a dick. Average people don't know this stuff.
-
There goes what Snowden just said...stop using google, dropbox, facebook.
-
People having been saying this for months.
-
Which third party is this? Did it affect winpho users?
-
I have to use dropbox coz of yahoo mail
I really like using onedrive. -
Were you one of the users affected by the hack? No, cause i have never used it
-
I have replicated everything on OneDrive but hadn't dropped the hammer on canceling my account yet. Another good reason to get off the dime on that. Office 365 1tb was the final piece.
-
I have put a copy of those leak pic in my drop box xD hahaha
-
Just one day after a video interview of Snowden advising people not to use FB and Dropbox, this happens...brilliant!!!
-
Amen, brother. Mr. Snowden has been very, very valuable. So what do we, the U.S., do? Try to crush him. How blind, deaf, and dumb we are/have been. Sad.
-
Its like he knew ;)
-
Lol, i uninstalled dropbox yesterday.
-
To bad the hack was done some time ago.....no one tells us shit till they have to.
-
Why not just use OneDrive? Dropbox doesn't support my OS of choice. Stupid Dropbox devs.
-
that's why you use OneDrive.
-
OneDrive!
-
I never use dropbox.... OneDrive all day baby!
-
So since no one will talk about the big elephant in the room perhaps I will. This is not Dropbox but a third party app/site/service. Same thing happened with Snapchat, third party service was storing photos. Windows Phone had been relying on 3rd party clients since we don't get official support and those have been praised a lot on this site. Perhaps time to do a reality check and start asking serious questions about the dangers associated. And to be clear this is not a personal attack because it is pretty clear who the biggest 3rd party app developer is but rather a serious issue as a lot of people use these apps. I use 6tag (before that Instance) a lot but have shied away from the other apps because I assessed the risk of being hacked on Instagram as being low impact compared to someone accessing the files that I store on OneDrive for example. Am I the only one who thinks this should be a topic?
-
Sshhhhhh, don't bring that up. This is a collective, "let's bash Dropbox" fest. We get so little good news about our platform that when we hear something like this, we all jump in and create our own illusion of perfection. We feign ignorance and create our own truth. But, you are exactly right. Dropbox was not compromised. A third party client was. And no other major platform on the face of the universe uses more third party clients for tier one apps than Windows Phone.
-
Guess sometimes discussing the truth is blasphemy to some.
-
Maybe OneDrive needs to offer a bring your data to us app. And offer extra gb for doing so.
-
One drive has no password protection. Wouldn't put anything on there that I didn't want everyone to know.
-
Waaattt?
-
Yes it does. Its the same as you use for email etc. Via outlook.com
-
I don't use Drop Box I use One Drive.
-
No problem with Dropbox throwing the 3rd party service under the bus but they won't name the 3rd party service? They suck too.
-
Is there any app to bring dropbox to OneDrive automatically.
-
Evidently if you don't praise one drive your message gets deleted.
-
Well I'm not using DropBox again
-
Thanks Snowden
I believe on you -
Wait, there are people who DON'T use 2-factor? Scary....
-
99$ per year and you get 5tb of online storage space (1 tb per user) and 5 microsoft office licenses. Best deal ever