I woke up late this morning and while reading through my daily news sources, I came across this sensational headline on Firspost. Now, I like Firstpost for its clean & minimal layout and that it doesn’t have “in-my-face” ads all over the site. However, their reporting lately has been pretty off. Last week, they wrote about the Google Fiber announcement, reporting that the company was offering a package with speeds of “1 gigabyte per second”. Even though I think that anyone reporting Tech News should know the difference between a byte and bits, I understand mistakes like this do happen. Yet six days later, the mistake still exists in their report.
Anyway, when I first read the headline “After LinkedIn and Yahoo, Dropbox says it was hacked” my first reaction obviously was, “Uh, oh!”. But I quickly went to the Dropbox blog to see what they had to say.
A couple weeks ago, we started getting emails from some users about spam they were receiving at email addresses used only for Dropbox. We’ve been working hard to get to the bottom of this, and want to give you an update.
Our investigation found that usernames and passwords recently stolen from other websites were used to sign in to a small number of Dropbox accounts. We’ve contacted these users and have helped them protect their accounts.
And here’s what Firstpost’s article says:
And now Dropbox has confirmed that hackers have been able to access a ‘small number’ of its users dropbox accounts and have promised to take immediate remedial measures.
[…]
Dropbox conducted an investigation and have now confirmed in an official blog post that “a small number of accounts” were indeed accessed by hackers.
Dropbox here is claiming that passwords were stolen on some other website and were used to sign in on some Dropbox accounts. In the email that they sent out notifying users that their passwords were reset by Dropbox, they say that “[…] Recently, passwords have been stolen from some Internet services. This is a problem because many people use the same password on multiple services, which is unsafe.”
Note that Dropbox uses OAuth for signing in on other websites. So this either means that a LOT of people just used the same passwords on these sites or that Dropbox was hacked and that they’re not revealing that yet. In any case, Firstpost still goes onto say that Dropbox was hacked, even citing Dropbox itself in the headline. One can’t resist a sensational headline like this, can he?
Update: The blog post on the Dropbox also says that:
A stolen password was also used to access an employee Dropbox account containing a project document with user email addresses
So there’s a good chance this is the source of all the emails receiving the spam.