The Next Web was the first to notice the leak on a site called Pastebin, where hackers have already leaked about 400 accounts. The hackers promise to release more accounts in return for Bitcoin donations. The hackers claim to have over 6.9 million email addresses and passwords belonging to Dropbox users.
In a statement to The Next Web, Dropbox denied it was hacked:
Dropbox has not been hacked. These usernames and passwords were unfortunately stolen from other services and used in attempts to log in to Dropbox accounts. We'd previously detected these attacks and the vast majority of the passwords posted have been expired for some time now. All other remaining passwords have expired as well.
It's a similar response to the one Snapchat had when hackers were able to obtain about 100,000 photos from the service through a third-party app. Snapchat claimed its servers weren't hacked, but the servers of a third-party app designed to save Snapchat photos.
The real problem in both cases appears to be the way popular services allow third-party apps to use their platform. Even though Dropbox's own servers weren't hacked, the service still allows third-parties access, which has become the target for hackers to obtain personal information.
Dropbox is sending affected users emails encouraging them to reset their passwords, The Next Web reports.
This is an alarming trend. Services like Dropbox, Snapchat, and Apple have pushed blame on users and other third parties following recent hacks when it's clear they're not doing enough to scrutinize the kinds of apps that have access to their platforms.