Dropbox creds posted online in attempted extortion

Dropbox has assured users its cloud storage service remains secure despite hackers threatening to release a trove of seven million user credentials in exchange for Bitcoin donations.

Unknown individuals today published 400 user account logins and passwords - which appear to legitimate - to online forum Pastebin as a "teaser".

The authors of the post threatened to release a full set of 6,937,081 details they claimed to have compromised in segments once they receive an unspecified amount of donations.

The authors of the post claimed to have accessed account log-ins and passwords as well as users' photos, videos and other files stored in tthe Dropbox account.

"Come back and check Pastebin for new Dropbox drops. The more BTC donated will reflect how many more login and passwords are released public."

Dropbox quickly issued a statement saying the credentials posted so far had been compromised via a third-party application in an earlier incident it had already investigated.

"These usernames and passwords were unfortunately stolen from other services and used in attempts to log in to Dropbox accounts," a spokesperson said in a statement to iTnews.

"We’d previously detected these attacks and the vast majority of the passwords posted have been expired for some time now. All other remaining passwords have been expired as well."

The attackers had received one Bitcoin donation at the time of writing.

Dropbox offered two-factor authentication to allow users to confirm a log-in attempt with a temporary code sent to their phone in the months following a security incident in 2012.

Users can activate two-factor authentication on Dropbox by selecting the 'security' tab within the settings option in their account.

The incident draws parallels with claims last month that Google's Gmail service had been compromised, after hackers posted what appeared to be five million user account logins and passwords online.

Google advised that the outdated details has been taken from third-party websites that Gmail account holders used their Gmail addresses to register with. The leaked passwords were associated with those third-party apps and not the Gmail account, the company said at the time.