The 2014 'Dropbox hack' that wasn't: leaked credentials and ransom

October 2014

Hackers claimed to have stolen nearly 7 million Dropbox logins, posted batches on Pastebin, and demanded Bitcoin — but the credentials came from other breached services, not Dropbox itself.

What happened

In October 2014 anonymous users posted hundreds of Dropbox username-and-password pairs to Pastebin, claimed to hold nearly 7 million in total, and solicited Bitcoin donations to release more. The episode was widely reported as a possible Dropbox breach.

Dropbox investigated and stated that its systems had not been hacked. The credentials, it said, had been stolen from unrelated third-party services and then tried against Dropbox accounts — a 'credential stuffing' attack that succeeds only against users who reuse passwords. Dropbox said the leaked lists were not even associated with active Dropbox accounts in many cases and that it had already expired the relevant passwords.

Impact

Even though Dropbox's own systems were not breached, the incident showed how the company's brand could be weaponized and how password reuse left its users exposed regardless of Dropbox's internal security. It became a recurring talking point in arguments for two-factor authentication and against single-factor cloud logins.

Dropbox's Response / Official Position

Dropbox published a blog post, 'Dropbox wasn't hacked,' stating the credentials were stolen from other services, that affected passwords had been expired, and urging users to enable two-step verification and avoid reusing passwords.

Sources

01
Dropbox Blog — 'Dropbox wasn't hacked'
Official / Dropbox2014
02
The Next Web — 'Dropbox: We weren't hacked, your logins were stolen from other services'
News2014
03
BBC News — 'Dropbox passwords leak online'
News2014

Spot an error, or have a source to add?

Report an error / suggest update

Related issues

20243 sources

Class actions over the 2024 Dropbox Sign breach: negligence and delayed-notice claims

After Dropbox disclosed the April 2024 Dropbox Sign breach, affected users filed proposed class actions in federal court alleging Dropbox negligently failed to protect their data and did not give prompt, adequate notice; the claims are allegations and the consolidated litigation followed in the Northern District of California.

Security Incidents & Data BreachesLegal Actions & LawsuitsCurrent / Ongoing Issues (2024–2026)

Read documentation

April–May 20243 sources

The 2024 Dropbox Sign breach: e-signature data exposed

An attacker compromised the production environment of Dropbox Sign (formerly HelloSign), exposing customer emails, usernames, phone numbers, hashed passwords, and authentication secrets including API keys, OAuth tokens, and MFA data.

Security Incidents & Data BreachesCurrent / Ongoing Issues (2024–2026)

Read documentation

2024–2026 (ongoing)3 sources

The Dropbox Sign breach aftermath: class-action litigation over exposed data

Following the 2024 Dropbox Sign breach, affected users filed proposed class-action lawsuits accusing Dropbox of failing to secure their data and of notifying victims too slowly. Dropbox has contested the claims, arguing the exposed data poses no identity-theft risk.

Security Incidents & Data BreachesLegal Actions & LawsuitsCurrent / Ongoing Issues (2024–2026)

Read documentation

November 20223 sources

The 2022 phishing breach: 130 internal GitHub repositories stolen

A phishing campaign impersonating the CI provider CircleCI tricked Dropbox employees into handing over credentials and 2FA codes, letting attackers copy 130 of Dropbox's private source-code repositories.

Security Incidents & Data Breaches

Read documentation