A new post release by an unknown hacker group in the text sharing Pastebin site today states that they have managed to steal more than 6 million user credentials from the famous share-cloud service Dropbox. The statement also says that the more Bitcoin donations are being made on a specific code, the more credentials the hackers will reveal. A teaser containing about 400 user e-mails was released in the message already as well.
Short after the release Dropbox have issued a statement, claiming that the credentials were not actually stolen from Dropbox’ servers but from other applications over the internet and an attempt for their usage on the cloud has already been detected by the company.
‘Your stuff is safe.’ A message in Dropbox official blog says,
Most of the stolen credentials have already been expired anyway, the company states as well.
In a message board from 13 Oct, however, some of the Reddit.com users say that their usernames and passwords work, while others are claiming Dropbox is expiring the credentials at the moment. The information is controversial, the users continue, referring to previous Dropbox breaches which the company denied.
A “small number” of usernames and passwords were stolen again from Dropbox in 2012, stated the company back then, saying that they were taken out different than the cloud service applications as well. A year prior they had similar issues – they accidentally published a code in their official web-site allowing users to connect to Dropbox without using any credentials at all.
The best protection for all users as of now remains applying the two-factor authentication process on their accounts and installing a time-based, one-time password application on their mobile devices.
Another serious issue the company’s facing now is its Selective Sync application deleting user files and information from the cloud.
‘We’re reaching out to let you know about a Selective Sync issue that affected a small number of Dropbox users. Unfortunately, some of your files were deleted when the Dropbox desktop application was shut down or restarted while you were applying Selective Sync settings.’ an official e-mail to the company users says.
→’Our team worked hard to restore files that were deleted from your account. You can see which of your files were affected and whether or not we’ve been able to restore them on this personalized web page.We’re very sorry about what happened. There’s nothing more important to use than making sure your information is safe and always available. Our team has fixed the issue and put additional tests in place to prevent this from happening in the future.’
The users affected will be offered a free year of the Dropbox Pro service, compensating the losses, although the company has still not issued an official statement in their web-site or the social media.
Could the bug in Dropbox’ Selective Sync application and the hackers’ attack from today be connected?