Dropbox was the latest company under the gun on security, when a link on reddit surfaced a claim that hackers have nearly 7 million usernames -- plus their passwords -- from the storage service on Monday. The hackers, via a post on the Web site Pastebin, released a sampling of around 400 names and passwords that they claim to have taken. They threatened to release more to people who pay them in bitcoin.
But Dropbox is saying, quite clearly, that its users shouldn't be worried about what they store on its site.
"Your stuff is safe," wrote Anton Mityagin, who is part of Dropbox's security team, in a company blog post on Monday.
According to Mityagin, the passwords listed in the documents weren't taken from Dropbox or its systems, but rather from unrelated companies and services. While reddit users have managed to break into some Dropbox accounts using the usernames and passwords, Mityagin and Dropbox are adamant that the leak didn't originate with the storage company. Not only that, Dropbox said that it has proactive measures in place to automatically reset passwords when it notices sketchy activity.
That's still probably cold comfort to anyone who finds that their account information has been leaked online. But it does stand as a good reminder about some aspects of personal online security.
First and foremost: if you reuse your Dropbox password for any other service, it's probably a good time to reset your password -- if Dropbox hasn't already done it for you. And, if you haven't already, you should consider taking full advantage of your security options. Dropbox is one of an increasing number of services that use two-factor authentication, and will text you one-time use code to use in addition to your normal username and password. It is a tad less convenient, but at least you can feel a little more secure that you're the only one holding all the keys to your account.
Finally, leaks such as this one and the massive flood of Snapchat photos that hit the Web last week after a third-party breach, stand as a good reminder that the attack you have to fear may come from an unexpected direction. A chain is only as good as its weakest link. If you're authorizing other services to hook in with an app or service, you have to be able to trust the outside service's security as much as you do the big-name brand you're using.