Cloud storage service Dropbox has further distanced itself from the leak of hundreds of login credentials and sought to reassure its customers as yet more passwords were posted online on Wednesday.
In a blog post titled "Dropbox wasn't hacked", a security staffer at the company slammed media outlets for running with hackers' claims that the service had been hacked, assuring users "your stuff is safe".
"Recent news articles claiming that Dropbox was hacked aren't true," Anton Mityagin wrote.
"The usernames and passwords referenced in these articles were stolen from unrelated services, not Dropbox."
An anonymous "guest" claimed to have stolen 7 million individual credentials from Dropbox, and posted hundreds of them in a series of several "teaser" posts at the website Pastebin.
The culprit promised to release more login details the more money people donated, using the cryptocurrency Bitcoin.
Only three Bitcoin transactions had been made to the hacker, or hackers, at the time of writing, totalling the equivalent of $1.50.
A later post, added about 3am on Wednesday, included links to pages that appeared to let users download the full list of login details if they completed a survey.
The post claimed 90 per cent of the supposed Dropbox accounts contained files that were "NSFW" – online slang for "not safe for work", referring to content that is unsuitable to be viewed in public, such as that containing nudity, or is pornographic or profane.
The poster added instructions for affected users to pay with Bitcoin and send them an "exclude" email if they wanted their credentials removed from public view.
Dropbox's Mr Mityagin said in an update to his blog entry on Tuesday night that the company had checked "a subsequent list" of login credentials and found that none of the details were associated with Dropbox accounts.
Despite Mr Mityagin reassuring account holders the company automatically resets user passwords whenever "suspicious activity" occurred, an apparently benevolent Pastebin user claimed to have run a script to "unhack" the leaked accounts by changing their passwords.
"I figure being locked out of your account is better than script kiddies snooping through your files," the user wrote.
"Don't donate to the script kiddy's Bitcoin address, as the passwords leaked will not be valid for long."
Melbourne-based Linus Security's Mike Thompson said while it was a fair assessment that third-party services had been the sources of the leak, Dropbox was typically aggressive in pushing its application user interface (API) so that customers could use the service via other platforms.
"If one account is compromised, it compromises everything," Mr Thompson said.
"It sets a very dangerous precedent for letting convenience take over good security practices."
Other cloud storage services had not been quite as aggressive at pushing third-party sign-on as Dropbox, Mr Thompson said, although Google – which has Google Drive – was "guilty" of pushing its accounts "the other way", i.e. allowing people to access to other services using their Google account.
Mr Mityagin reiterated that customers should use different passwords for different services and urged them to turn on two-step verification, which requires logging in with a security code sent to your phone when accessing your account from a new device.
Mr Thompson said it was difficult for consumers to remember multiple passwords for so many online services and recommended using a password vault or manager – an inexpensive security measure that encrypts passwords on your devices.
NSA whistleblower Edward Snowden went further last week advising those concerned about their privacy to "get rid of Dropbox" and cease using Facebook and Google.
Dropbox is a six-year-old Silicon Valley startup that boasts more than 200 million users. It has undergone tremendous growth amid the meteoric rise of cloud computing, which is expected to continue booming alongside mobile computing.