A thread surfaced on Reddit today that contained links to files containing hundreds of usernames and passwords for Dropbox accounts in plain text, but it’s unclear where they were obtained from.
In four Pastebin files linked to from the site, a few hundred username and password pairs were listed in plain text as “teases” for a full leak from an anonymous user, who asked for Bitcoin donations for continued leaks.
A message annotated at the top of the leaks said:
Here is another batch of Hacked Dropbox accounts from the massive hack of 7,000,000 accounts
To see plenty more, just search on [redacted] for the term Dropbox hack.
More to come, keep showing your support
Users in the Reddit thread allegedly confirmed the credentials in the spreadsheet worked at time of writing on multiple accounts listed, however it’s not clear where these credentials actually came from nor how many users were affected.
Dropbox, however, said in a statement to The Next Web that it is not to blame for the leaked passwords and that these were stolen from other, third party services:
Dropbox has not been hacked. These usernames and passwords were unfortunately stolen from other services and used in attempts to log in to Dropbox accounts. We’d previously detected these attacks and the vast majority of the passwords posted have been expired for some time now. All other remaining passwords have been expired as well.
Dropbox forced a password reset for those affected that are listed in the Pastebin files when attempting to log in on the website, according to users in the Reddit thread.