Oct 14, 2014 · 2 minutes

Dropbox has refuted claims that hackers stole 7 million username-password combinations from its servers -- but that doesn't mean that some accounts haven't been compromised by the hackers said to have gotten the logins from a different site, according to a report from Business Insider.

Dropbox's will not disclose how many accounts have had their passwords "expired" because someone besides their owner tried to access them. As Business Insider explains:

Dropbox has already expired the 400 logins that have been leaked so far. But it's unclear if the logins of the nearly 7 million other Dropbox users the hackers claim to have are still safe. A Dropbox spokesperson told Business Insider that Dropbox consistently expires passwords for accounts that are being attacked, but could not provide a number of accounts expired recently. That means it's possible that there are nearly 7 million other Dropbox accounts still vulnerable.
The entire episode shows that no data breach exists in a vacuum. Dropbox and its customers are now forced to deal with these claims even though the company's servers weren't attacked; instead, the Dropbox accounts were made vulnerable by people reusing their online passwords. It's similar to the need for consumers to get new credit cards after one store is compromised -- the dependence on one vulnerable tool at multiple places creates a domino effect of problems.

The most obvious solution is to not reuse passwords, but it's hard to imagine the majority of Web users developing strong, unique passwords for all of their online accounts. Microsoft's researchers reached a similar conclusion on their own after studying ways to make the human part of online security stronger, as I reported when their conclusions were published in July:

Expecting the average person to remember a bunch of unique passwords is like expecting a husband on a sitcom to remember his anniversary. Therefore, it’s better to take that stupidity into account by reusing passwords. But you’d better be smart about selecting the sites that use the same password — an important site can be lost in a group of unimportant ones just as easily as an anniversary can be lost in an overflowing sea of sitcom tropes like “in-laws visiting” or “family road trip.”
It's a similar problem to the one posed by credit cards. It's ludicrous to think that consumers will start carrying around store-specific cards following the data breaches at Target, Kmart, Home Depot, and other retailers. They probably aren't going to start using cash, either. So we're left with a system where an attack on just one place can create problems at countless others.

So what are people supposed to do? Honestly, it seems like the options are either "learn how to deal with multiple passwords and paying for things with cash" or "accept that you're going to have to worry about your personal information and banking data being stolen all the time." It's unfortunate for companies that aren't directly affected by leaks, like Dropbox and credit card issuers, but it doesn't seem like there's going to be any slowdown in data breaches in the near future.

[illustration by Hallie Bateman]