Online file storage website Dropbox is one of the biggest names in cloud, but yesterday it had one of those days that tech companies dread having.
A thread on Reddit popped up with a user claiming that he had access to nearly seven million username and password combinations for Dropbox and, after revealing several hundred of them on Pastebin to prove that the list was real, said that he would release the full list in plain text after receiving some donations in Bitcoin, of course.
The timing of the exposed data may have had something to do with the fact that yesterday the leaker of all things NSA, Edward Snowden, said that everyone should “Get rid of Dropbox” because “it doesn’t support encryption, it doesn’t protect your private files.”
Dropbox immediately hit back with a blog post stating, unequivocally, that the site had not been compromised – the company said that the usernames and passwords were stolen from third party apps that users had trusted with their Dropbox credentials. They also released a media statement saying that “We’d (They’d) previously detected these attacks and the vast majority of the passwords posted have been expired for some time now. All other remaining passwords have been expired as well.” (Which contradicts the fact that some of the passwords are said to still work according to the Reddit thread.)
As with everything on the internet where you may be storing sensitive data, the best option at the moment is to enable two-factor authentication which works exactly the same way that your online banking does by sending you a one-time-pin to your cellphone when you log-in to make sure that it really is you.
Dropbox have a handy guide on how to enable two-factor authentication on their website.