The passwords of nearly 7 million Dropbox accounts have been seized through third-party services and 400 directly leaked on Pastebin, with promises of more leaks following bitcoin donations. Dropbox denies a hack.
The leaker described the 400 as a “first teaser...just to get things going” and followed with: “More Bitcoin = more accounts published on Pastebin. As more BTC is donated, More pastebin pastes will appear.”
It remains unclear how the details were obtained; the hackers
claim ownership of details from 6,937,081 different accounts –
claims that cannot in any way be verified.
Dropbox, denies that a hack has taken place.
“Dropbox has not been hacked. These usernames and passwords
were unfortunately stolen from other services and used in
attempts to log in to Dropbox accounts,” it said.
“We'd previously detected these attacks and the vast majority
of the passwords posted have been expired for some time now. All
other remaining passwords have expired as well.”
Dropbox said in a statement to ‘The Next Web’, however, that it
performed “password resets” when it uncovered
‘suspicious activity’ on particular accounts a few months ago.
Former NSA contractor Edward Snowden lashed out at Dropbox on
Sunday, accusing it of being “hostile to privacy”. He
urged web users to abandon unencrypted communication and adjust
privacy settings to prevent governments from spying on them in
increasingly intrusive ways.
Snowden advised web users to “get rid” of Dropbox. Such
services only insist on encrypting user data during transfer and
when being stored on the servers. Other services he recommends
instead, such as SpiderOak, encrypt information while it’s on
your computer as well.
“We're talking about dropping programs that are hostile to
privacy,” Snowden said.
The response from Dropbox appears a familiar one, after Snapchat
released a similar statement blaming a third party for a mass
picture leak on Sunday of some 100,000 photographs from the
service, among which was thought to be child porn.
The content captured after some users opted to use a third-party
website called SnapSaved.com, which lets users save incoming
messages after handing over their login details to the site.