Dropbox says it has not been hacked


Published: Tuesday 14th October 2014 by The News Editor

Comments (0)

Cloud storage site Dropbox has moved to deny claims it has been hacked after an anonymous account posted what it claims is the username and passwords of hundreds of the site’s users.

An anonymous post to website Pastebin, traditionally used to save text users would like to paste elsewhere later, contained a list of hundreds of email log-ins and passwords the hacker claimed were linked to Dropbox account. The post claimed that more than 6.9 million Dropbox accounts had been hacked, and that more would be posted.

The hacker has asked for donations in digital currency Bitcoin in exchange for revealing the alleged flaws in Dropbox’s security, as well as revealing more account details in the future.

“As more BTC (Bitcoin) is donated, More Pastebin pastes will appear”, said the post.

However, Dropbox has moved to deny that its service has been compromised. The company’s Anton Mityagin said this was an attempt to gain money from stolen data found elsewhere online.

“Recent news articles claiming that Dropbox was hacked aren’t true. Your stuff is safe,” he said.

“The usernames and passwords referenced in these articles were stolen from unrelated services, not Dropbox. Attackers then used these stolen credentials to try to log in to sites across the internet, including Dropbox. We have measures in place to detect suspicious login activity and we automatically reset passwords when it happens.”

Mr Mityagin went on to encourage users to beef up the security on their Dropbox account, citing this attack as a good reason to enable two-step verification. This adds a second layer of security to an account, and is used by many other online services. In this instance it requires an additional code entry that is sent to your phone when you try to log in, as well as the password.

“The idea behind two-step verification is to combine ‘something you know’, like your password, with ‘something you have’, like your phone to add an extra layer of security”, said Dropbox’s Cory Louie.

This attack marks the latest incident in a growing line of hacks on major websites and services as hackers look to mine personal data. The celebrity nude photo hack, as well as breaches to eBay and photo-messaging app Snapchat have already been prominent this year.

Some industry experts have also been less dismissive of the attack than Dropbox.

Tony Pepper, chief executive of online security platform Egress, has warned consumers and businesses are risking themselves through what he calls “bad habits”.

“Another day, another data breach. While it has emerged that Dropbox itself was not hacked, the incident does highlight the insecurities of the cloud and the fact user passwords can easily be sourced from other areas. Usernames and passwords used to access services such as Dropbox are being targeted, and once hackers have access they can see everything. It is not just personal information that is at risk but commercially sensitive data as well,” he said.

“As IT becomes increasingly consumerised, people are not only bringing their own devices to work, they are bringing their bad habits too. How often have you been communicating with a colleague or partner and needed to share a large file, and the easiest option has been to simply send it via Dropbox? It is becoming common practice.

“Incidents such as these highlight the risk to data security that this creates and should act as a wake-up call for organisations to start looking at the processes within their business.”

Mark Sparshott, from security experts Proofpoint, explained that is the casual nature of some users when it comes to passwords that places them at risk to attacks like this.

“Cybercriminals were able to simply log in to Dropbox accounts using the usernames and passwords they hacked or purchased elsewhere on the internet. Cybercriminals know that many consumers are not aware of security best practice, or choose to ignore it, by using the same ID/email address and password to login to multiple online services,” he said.

“This password reuse is exacerbated by the increasing volume and success rates cybercriminals are enjoying with advanced phishing campaigns such as longlining, many of which are ‘Credential Attacks’ where the phish email sends the recipient to a fake website resembling the login page of a legitimate online service, often Amazon, Dropbox and Google Docs.”

However Dropbox is maintaining that on this occasion the attack has not affected their service.

“A subsequent list of usernames and passwords has been posted online. We’ve checked and these are not associated with Dropbox accounts,” the cloud firm said.

Published: Tuesday 14th October 2014 by The News Editor

Comments (0)

Local business search