Dropbox users, it may be time to update your passwords and enable two-factor authentication. A hacker claims to have stolen some 7 million usernames and passwords for the popular cloud-based file storage and sharing service.
Someone posted a series of links on reddit Monday evening to files that purportedly contain a sample of the stolen usernames and passwords. Several redditors say at least some of the passwords were working at the time they were posted.
Anton Mityagin, from the Dropbox security team, wrote in a blog entry that the company's servers were not hacked.
Recent news articles claiming that Dropbox was hacked aren’t true. Your stuff is safe. The usernames and passwords referenced in these articles were stolen from unrelated services, not Dropbox. Attackers then used these stolen credentials to try to log in to sites across the internet, including Dropbox. We have measures in place to detect suspicious login activity and we automatically reset passwords when it happens.
Attacks like these are one of the reasons why we strongly encourage users not to reuse passwords across services. For an added layer of security, we always recommend enabling 2 step verification on your account.
The blog was updated to add that passwords later posted online did not belong to current Dropbox accounts.
The company told The Next Web that it noticed suspicious activity linked to some of the associated accounts months ago and automatically reset the passwords.
To change your password, log in to your Dropbox account, click on your name and choose "settings." Then, click on the security tab. You can also enable two-factor verification, which requires either a cellphone or an app. A code will be sent to the cellphone or app whenever you -- or a would-be hacker -- attempt to access the account from a new device.
The security page will show you all devices that have been linked to your account as well as which ones are currently logged in.
Some Dropbox accounts were compromised in 2012 when the company said a hack of third-party websites exposed Dropbox passwords. In addition, a company Dropbox account was accessed, exposing user email addresses, according to CNET.