Just because someone posts millions of username and password combinations online and claims they’re from a breach of the Dropbox cloud storage service doesn’t mean it’s true. In fact, even if some of the username and password combinations actually work to access some Dropbox accounts, it still doesn’t necessarily mean that Dropbox itself was hacked.
I wrote a blog post about the claim of a Dropbox breach, and the fact that Dropbox denies any such breach occurred:
A thread posted on Reddit today claiming a massive hack of 7 million Dropbox accounts. The post contained hundreds of usernames and passwords as a tease to “prove” the veracity of the claim. Dropbox, however, says the claims are false.
Hackers posted the thread on Reddit, and some Reddit users allegedly confirmed that at least some of the leaked credentials actually work. Even if that’s true, though, we don’t yet know where the credentials came from, or how the attackers were able to obtain them. It’s premature to just assume that Dropbox itself was hacked in any way.
“We saw this kind of claim after the news of the eBay breach—someone posted an ad saying they had the data from the eBay compromise and would sell it for bitcoin. Analysis of the free “sample” they offered revealed that the information was not from eBay at all,” cautioned Tod Beardsley, engineering manager, Rapid7. “It is not necessarily the case that the same is true here—the data could be from Dropbox—but until Dropbox confirms a breach, or the data being offered is analyzed and verified as being from Dropbox, this is all just speculation.”
Read the full story on CSOOnline.com: Don’t believe the Dropbox breach hype.