Unfortunately for Dropbox, last week several identity theft protection services including LifeLock wrongly reported that 73 million usernames and passwords had been stolen in a data breach on the cloud storage company. The problem is that Dropbox didn’t have a data breach, Tumblr did.
The source of the mistake was the identity monitoring firm CSID. CSID, which is currently in negotiations to be bought by Experian, uses online sources that in the past have been accurate to tip them off on new data leaks. In this case a hacker who goes by the handle “w0rm” posted a tweet with a link to a file that he claimed contained 100 million username and passwords for Dropbox accounts. In reality, the file contained 73 million and CSID couldn’t verify whether or not they actually were for Dropbox. Ultimately, CSID took the hacker’s word for it and wrongly blamed Dropbox for the breach.
Apparently, analysts at CSID don’t test stolen passwords by using them to attempt to log into the breached site, nor do they attempt to make an account using the stolen email addresses. If the information came from that site, it wouldn’t allow a second account with the same email address to be created. That said, they do comb through usernames and passwords for other information that may point to their source. For example, in the LinkedIn breach many of the passwords had some variation “linkedin” contained in it.
It’s never a good idea to use the same password across multiple services and Dropbox encourages users to create strong and unique passwords. Additionally, even though they didn’t have a breach, they are reminding their users that they offer two-factor identification. If you have an account that contains any personal information, you should really be using two-factor authentication if it’s offered, unfortunately less than 1% of Dropbox users do.