A thread on the Dropbox forums is filling up with reports of users getting sent spam email to addresses that have exclusively been used for the service. The uptick in spam has grown beyond just a few users, sparking some comparisons to last year’s data leak.
Dropbox has taken notice and is now investigating.
The thread indicates a couple of things that make this more interesting than ‘I’m getting spam’. First, many of the users complaining about the issue claim to be using email addresses exclusively for Dropbox. This means that they aren’t public emails and shouldn’t be on any other lists anywhere. Second, the spam coming to those emails spring into existence over the space of the last few days, indicating that there was some sort of incident (like a leak of emails) that allowed spammers access to them.
Some examples of users having issues [sic]:
Mathieu F.: I can also confirm that I received a spam e-mail today, about 4 hours ago, to my Dropbox-specific e-mail address. I believe that the customers reporting this issue here are correct, Dropbox’s e-mail addresses have been leaked in some form.
Stephen O.: I can confirm what the op said – I have an email address that is 10 random characters, uniquely used for dropbox, and I got spam on it this week. If they were spamming my domain, I would have received many more notices, but they only hit one specific address – dropbox’s.
I suspect the dropbox emails were sold or compromised.
If this story is sounding a tad familiar to you, it’s because it’s the same scenario that played out last July, when a number of Dropbox users began complaining of spam emails. After an investigation, it was discovered that some user credentials had been leaked to a third-party website, and that one of those logins belonged to a Dropbox employee. That employee’s login was then used to gain access to a larger list of users which then began to receive spam. Dropbox was spurred to introduce two-factor authentication on discovery of the breach.
At this point, according to a posting in the still-growing thread, Dropbox has taken notice and is investigating. Dropbox team member Sean B. writes:
We’ve been looking into these spam reports and take them seriously. Back in July we reported that certain user email addresses had leaked and some users had received spam as a result. At this time, we have not seen anything to suggest this is a new issue, but remain vigilant given the recent wave of security incidents at other tech companies. If you’ve received spam to an email account you only use for Dropbox, please send the message (including full headers) to firstname.lastname@example.org to help our ongoing investigation.
Separately, we want to apologize for some of the dismissive responses from our volunteer moderators – since they aren’t employed by Dropbox, they don’t have visibility into issues like this. We want you to know that we’ve taken these reports seriously and began our investigation immediately.
A leaked list of Dropbox email addresses is only one of many possible causes that could be behind an uptick in spam. This could, for instance, be a result of that list of users from last July being targeted again.
There is some evidence to suggest that a grouping of emails has begun receiving more spam, rather than just individual accounts, but where the list that is being used to send those spam emails came from is still a question that can probably only be answered by Dropbox.
We’ve reached out to Dropbox for more information and will update the post when we know more.