The huge Dropbox password leak that wasn’t

Don’t believe everything bad you read on the internet.

Update: Since this article was written it has emerged that millions of Dropbox credentials have been made exposed.

Read this article for more details: “Millions of Dropbox users are being advised to change their passwords”.

The original article is reproduced below for your reference.

The huge Dropbox password leak that wasn't

Sign up to our free newsletter.
Security news, advice, and tips.

A lot of people use Dropbox.

A lot of people put a lot of valuable, sensitive and personal data inside Dropbox.

A lot of people make the mistake of not encrypting their valuable, sensitive and personal data before they put it inside Dropbox.

Which all adds up to a whole heap of trouble if Dropbox suffers a data breach.

Alleged Dropbox breach

Fortunately, as Brian Krebs reports, recent claims from identity theft protection firms that Dropbox has suffered a massive password breach appear to be erroneous.

Troy Hunt – who knows a thing or two about verifying and responsibly disclosing data breaches – also chimed in, decrying that some had jumped to the conclusion that a serious breach had occurred without an attempt to independently verify, or even consult Dropbox itself.

Instead, the data swirling around the net appears to be derived from the mega breaches at Tumblr, LinkedIn and MySpace that have recently been in the spotlight.

Of course, if you were making the mistake of using the same password in multiple places – for instance, the same password for Dropbox that you use at Tumblr – then yes, you would be wise to change them.

But that’s far from claiming that Dropbox has suffered a huge password leak. Because there is no evidence to suggest it has.

Nonetheless, with so many mega-breaches making the news, there’s certainly no harm in hardening your security and – for instance – enabling two-step verification on your Dropbox account to make it harder for hackers to break into.

I don’t mean to suggest that Dropbox is immune from making security blunders, of course.

For instance, in 2012 one of its employees had his password stolen, and spammers managed to steal a database containing the email addresses of users.

And the year before, the site dropped a huge clanger – accidentally turning off all password validation for about four hours. That meant that anyone was able to access anyone else’s Dropbox account using any password.

Sheesh. Now do you see why I recommend encrypting your files before uploading them to Dropbox? It’s not just about stopping Dropbox or a government agency snuffling through your files – it’s in case Dropbox makes another goof like that in the future.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

One comment on “The huge Dropbox password leak that wasn’t”

  1. James

    Are you going to revise this article now they have admitted the breach of 68 million user name and passwords ?

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.