Hackers Claim to Have Nearly 7 Million of Dropbox Usernames and Passwords

Dropbox-icon-960x540

UPDATE:
From Dropbox Blog:

Dropbox wasn’t hacked

Recent news articles claiming that Dropbox was hacked aren’t true. Your stuff is safe. The usernames and passwords referenced in these articles were stolen from unrelated services, not Dropbox. Attackers then used these stolen credentials to try to log in to sites across the internet, including Dropbox. We have measures in place to detect suspicious login activity and we automatically reset passwords when it happens.

Attacks like these are one of the reasons why we strongly encourage users not to reuse passwords across services. For an added layer of security, we always recommend enabling 2 step verification on your account.

Ars Technica:

Popular online locker service Dropbox appears to have been hacked. A series of posts have been made to Pastebin purporting to contain login credentials for hundreds of Dropbox accounts, with the poster claiming that altogether 6,937,081 account credentials have been compromised.

Reddit users who have tested some of the leaked credentials have confirmed that at least some of them work. Dropbox seems to have bulk reset all the accounts listed in the Pastebin postings, though thus far other accounts do not appear to have had their passwords reset.

Statement from Dropbox:

Dropbox has not been hacked. These usernames and passwords were unfortunately stolen from other services and used in attempts to log in to Dropbox accounts. We’d previously detected these attacks and the vast majority of the passwords posted have been expired for some time now. All other remaining passwords have been expired as well.

Regardless of the claim from both the hackers and Dropbox, it is recommended for users to change their passwords. Enabling two-step verification is also highly recommended.

A thing or two to know about two-step verification for Apple ID

On Thursday March 21, 2013 Apple enabled Two-Step Verification for Apple ID.

Two-step verification is an optional security feature for your Apple ID. It requires you to verify your identity using one of your devices before you can:

  • Sign in to My Apple ID to manage your account.
  • Make an iTunes, App Store, or iBookstore purchase from a new device.
  • Get Apple ID-related support from Apple.

HT5570_01-icloud-2stepfaq-001-en

In addition to the Frequently asked questions about two-step verification for Apple ID, there are a few things we found:

  • One phone number can be authenticated to multiple Apple ID two-step verification.
  • Not all SMS-capable phone number can be used, such as Google Voice number and Skype.
    Apple has listed supported carriers for SMS and two-step verification.
  • When verification code sent to an passcode-protected iOS device, user must unlock the device first before the code to be displayed.
    IMG_1668
  • When verification code sent through SMS to a passcode-protected iPhone, the SMS content might be shown depends on the notification setting.
    IMG_1674
  • Nexus 4 running Android 4.2.2 Jelly Bean does not display SMS content when it is passcode-protected (including face-unlock and pattern-unlock).
    Screenshot_2013-03-21-23-21-26

Apple was expected to beef up Apple ID security after the epic hacking of Mat Honan’s Apple ID and Amazon Account.