Hundreds of Dropbox logins leak, but storage service says they came from elsewhere

Dropbox has denied reports that it was hacked, after scores of purported logins and passwords were leaked online.

The information appeared in a few Pastebin posts of about 100 credentials per post, linked to by someone wanting bitcoins to leak more. Reddit users confirmed that some of the login details worked, but Dropbox used a blog post to argue that it wasn’t the source of those credentials, many of which won’t work anyway:

Recent news articles claiming that Dropbox was hacked aren’t true. Your stuff is safe. The usernames and passwords referenced in these articles were stolen from unrelated services, not Dropbox. Attackers then used these stolen credentials to try to log in to sites across the internet, including Dropbox. We have measures in place to detect suspicious login activity and we automatically reset passwords when it happens.

The service told Ars Technica that it had “previously detected these attacks and the vast majority of the passwords posted have been expired for some time now.”

In its post, Dropbox reminded users to avoid using the same password across different accounts, and to turn on two-step authentication so that a handset-derived, one-time code is also needed to log in. Dropbox’s version of events sounds eminently plausible, and its advice is good (though those looking for added security might want to consider a Dropbox-compatible encryption service such as Boxcryptor).

Personally, I recently started using 1Password to generate and store strong passwords for the various services I use – funnily enough, it needs Dropbox to more easily synchronize between devices – and I turn on two-factor authentication wherever I can. As of this morning’s reminder, that includes two-factor for Dropbox.