Dropbox has been targeted by hackers who claim to have login details for nearly seven million of its accounts.
To prove the authenticity of its attack, hackers on Monday posted on the Web hundreds of Dropbox username and password details in plain text, with a request for Bitcoin donations for further posts revealing more of the data, TNW reported.
In a statement to Digital Trends, Dropbox insisted its servers had not been hacked, and that “these usernames and passwords were unfortunately stolen from other services and used in attempts to log in to Dropbox accounts.” It declined to say from which services the data had been stolen.
The cloud storage company added, “We’d previously detected these attacks and the vast majority of the passwords posted have been expired for some time now.”
Dropbox said it’d already forced a password reset for those affected, though as a precautionary measure all users of the service would be wise to change their passwords now, and also to activate two-step authentication if they haven’t already done so. Two-factor authentication, which can be set up in just a few clicks, adds another layer of security to an account by asking for a six-digit security code at login, in addition to the password.
It’s been a rough 24 hours for Dropbox. Earlier in the day it admitted that a bug in some older versions of its desktop app had caused the deletion of files belonging to “a small number” of Dropbox users. A message sent to those affected suggested the company has been able to restore most of the deleted files, though it appears some may have been lost forever.
Both issues come just days after whistleblower Edward Snowden said Web users should avoid using Dropbox, as well as Google and Facebook, citing data protection and privacy concerns.
Speaking via video link from his hideout in Russia, the former NSA contractor suggested users ditch Dropbox because of its lack of local encryption.
In a blog post earlier this year, Dropbox outlined its approach to online security, reassuring users that data is encrypted on the company’s servers and also while in transit. However, if a user wants to encrypt the files on their own computer, a third-party solution is needed.