Skip to Content

Dropbox’s Data Breach Scare Doesn’t Check Out

Dropbox Inc. Chief Executive Officer Drew Houston InterviewDropbox Inc. Chief Executive Officer Drew Houston Interview
Drew Houston, chief executive officer and co-founder of Dropbox.Victor J. Blue—Bloomberg via Getty Images

A version of this post titled “Dropbox, dropped ball” originally appeared in the Cyber Saturday edition of Data Sheet, Fortune’s daily tech newsletter.

Social media sites have been the subject of a flurry of data breach disclosures in recent weeks. (To understand why, read my colleague David Meyer’s story here.)

Let’s recap. Last month the extent of a 2012 pillaging at LinkedIn (LNKD) became known: 167 million accounts compromised, rather than 6.5 million originally thought. This week we learned that Myspace had previously been ransacked to the tune of 427 million passwords. (Full disclosure: Time Inc. (TIME), parent of Fortune, owns Myspace now.) Around the same time, security researchers determined that a 2013 breach at Yahoo-owned (YHOO) Tumblr, which the blogging service announced last month, let loose as many as 65 million stolen login credentials.

Given the damage, it’s easy to get caught up in the excitement. In fact, that seems to be what happened at several credit monitoring firms this week. LifeLock (LOCK), among others, blasted out an alert to their customers warning of a data breach at Dropbox that affected 73 million username and password pairs, as independent cybersecurity blogger Brian Krebs reports. According to Dropbox though, the company does not believe it was the victim of a hack.

For more on data breaches, watch:

“An initial investigation into these reports has found no evidence of Dropbox accounts being impacted,” Patrick Heim, Dropbox’s security lead, told Krebs. “We’re continuing to look into this issue and will update our users if we find evidence that Dropbox accounts have been impacted.”

Krebs dug deeper and discovered that CSID, an identity monitoring firm that is in the midst of an acquisition by Experian (EXPGY), the credit monitoring giant, was responsible for the attribution. Apparently, researchers at CSID saw a Tweet about a data breach posted by a hacker with a reputation for breaking such news. They issued alerts without confirming whether the records in the dump contained any new information. Upon closer inspection by researchers at Flashpoint, a dark web intel firm, it appears the stolen records were merely recycled from the Tumblr dump.

The lesson? When the ghosts of breaches past return to haunt, try not to get spooked. Do the due diligence. Make sure claims check out. Further, dear readers, please consider downloading a password manager. And quit reusing passwords!

Enjoy the weekend; more news here.