Here we go again with yet another data breach. A hacker group says that have a hold of almost 7 million Dropbox usernames and passwords and that if they receive enough Bitcoin, they will release over 1,200 accounts to the public. The group has already released 400 as a sample of what they've acquired. The twist on this story is that Dropbox says this is a non-issue and in fact, they have not been hacked.
According to Dropbox, the passwords released so far have already expired and the rest of the accounts as well. The company has even gone as far as to blame other services for the breach.
These usernames and passwords were unfortunately stolen from other services and used in attempts to log in to Dropbox accounts. We'd previously detected these attacks and the vast majority of the passwords posted have been expired for some time now. All other remaining passwords have been expired as well.
So Dropbox says they've basically solved the problem. But Reddit users have tried out some of the accounts and have said they work. Only on a small percentage are the passwords expired. Considering that there are over 220 million accounts on Dropbox, a hacker group having only three percent really isn't that significant of a number, but for Dropbox to deny even this small percentage is pretty alarming.
Even if Dropbox is denying the attack, the username and password combinations still work and users should enable two-step authentication and change their passwords immediately. Is this what companies are going to do from now on, though? Blame other people for their lack of security and care for customers' data?