Dropbox users urged to set up two-factor authentication after 7m logins are hacked

14 Oct 2014

Image via Alexander Supertramp/Shutterstock

Dropbox users are advised to change their passwords and enable two-factor authentication, as hackers claim to have the credentials of almost 7m users.

An anonymous hacker or group of hackers claims to have stolen 6,937,081 email and password logins from Dropbox.

Hundreds of email-password combinations have been published on Pastebin by the hackers as evidence of the attack, and more have been promised in return for bitcoin donations.

The first Pastebin post contained details on 400 accounts, while another 100 were then revealed in the second and third posts.

Dropbox has officially stated on its blog that its servers were not hacked. However, it claims the credentials were stolen from third-party services, though it did not specify which.

Dropbox says files are safe

“Your stuff is safe,” wrote security team member Anton Mityagin.

“The usernames and passwords referenced in these articles were stolen from unrelated services, not Dropbox. Attackers then used these stolen credentials to try to log into sites across the internet, including Dropbox. We have measures in place to detect suspicious log-in activity and we automatically reset passwords when it happens.”

How to set up two-factor authentication on Dropbox

  1. Go to your security settings on Dropbox (requires user to be logged in).
  2. Under two-step verification, click ‘Enable’, then ‘Get Started’ in the pop-up.
  3. Re-enter your password.
  4. Choose whether you want to receive your security code by text message or using a mobile app.
  5. If you choose to receive the code by text, enter your number and wait to receive a security code to verify your phone number. You will now need to generate a secure code in this way for every login from now on.
  6. If you choose to receive the code via a mobile app, you need to download one of the following apps which support the time-based one-time password (TOTP) protocol: Google Authenticator (Android/iOS/BlackBerry OS), Duo Mobile (Android, iOS), Amazon AWS MFA (Android) or Authenticator (Windows Phone 7). Depending on the app selected, you can either scan a QR code generated by Dropbox or enter a secret key to configure the app. Then you will need a security code generated by the app to verify set-up. After this, you will require the app to generate a unique secure code each time you log into Dropbox.

Dropbox reportedly noticed suspicious activity on a number of these accounts months ago and had already disabled the majority of these passwords. Further to that, all of the remaining passwords published online have been disabled.

These users will have received notification of the password expiration via email.

Meanwhile, a transaction tracker for the bitcoin wallet to be used for donations shows that the current balance amounts to an equivalent of €0.03.

Security tips for Dropbox users

The publication of hundreds of log-in credentials does not bode well for users who use the same email-password combinations to access other websites or online services, and so Dropbox users would be prudent to change all logins that use the same credentials.

For added security, Dropbox users can set up two-factor authentication.

Users are also advised to add a second phone number to the account so if their device is ever lost, a back-up security code can be sent to an alternative number.

For more information on two-factor authentication, visit Dropbox’s help centre.

Users can also review their Dropbox sessions, linked devices and connected apps in their account security settings, in order to identify any suspicious activity.

Dropbox app image by Alexander Supertramp via Shutterstock

Elaine Burke is the host of For Tech’s Sake, a co-production from Silicon Republic and The HeadStuff Podcast Network. She was previously the editor of Silicon Republic.