Before you go through the details, go to your Dropbox accounts and immediately change your passwords. It looks like there’s a massive security breach at Dropbox. A user on Reddit has linked to a posting on PasteBin (which we won’t link to) which contains over 400 usernames and passwords in plain text, with almost 7 million others pipped to follow soon.
At Technology Personalized, we can confirm that some of the accounts were indeed real and we could authenticate to Dropbox servers with a couple of account details. Since then, Dropbox seems to be forcing the account holders to do a password change for around 1250 accounts already leaked by the hacker.
Sadly, this isn’t the first time Dropbox has been hacked. The popular cloud storage service had previously introduced 2-factor authentication for improved security, and it appears not many users bothered to enable it. If you haven’t done that yet, make sure you go back and enable two-factor authentication right away. You can enable 2-factor Authentication by logging into Dropbox, clicking the drop-down in the upper right-hand corner, choosing Settings, then the Security tab, and clicking “Enable” next to “Two-Step verification”.
If you are one of those users who use the same password on multiple sites, you might like to change the password on other services as well.
Update: Dropbox has said in a statement that it is not to blame for the leaked passwords and that these were stolen from other services:
Dropbox has not been hacked. These usernames and passwords were unfortunately stolen from other services and used in attempts to log in to Dropbox accounts. We’d previously detected these attacks and the vast majority of the passwords posted have been expired for some time now. All other remaining passwords have been expired as well.
So it appears that the hacker has used the stolen passwords from previous hacks (of Yahoo and others) and matched it with Dropbox usernames.