The site’s support forum has been overrun with comments by users about spam being sent to Dropbox-specific email addresses – ruling out cross-contamination from other activities.
“I somehow made the link with two fishing [sic] spams I received a few days ago, went back to them (or rather, to the only one I had kept for interest because it seemed better crafted that the usual spam I receive) and... bingo, it had been sent to **.dropbox@****.** – an account I had signed up for in 2009 and never used at all, there is zero chance this email was leaked from my part, from sharing documents or any other such way,” wrote account holder Matthieu V. on Friday.
Another user, R.O., said that he received a fake PayPal mail to his unique Dropbox email this week. “First time ever that this specific email address was spammed. You've got a leak somewhere. Did I hear complimentary upgrade? :)”
Users also complained that Dropbox volunteer moderators on the forum have been dismissive to the issue. But the company finally issued a statement last week, and posted it to the forum. "We've been looking into these spam reports and take them seriously,” it reads. “Back in July we reported that certain user email addresses had leaked and some users had received spam as a result. At this time, we have not seen anything to suggest this is a new issue, but remain vigilant given the recent wave of security incidents at other tech companies,” referring to recent attacks on Facebook, Apple and others.
It added, “We want you to know that we've taken these reports seriously and began our investigation immediately."
Dropbox was hacked last summer, after the perpetrators used hundreds of usernames and passwords from third-party sites to cross-reference with Dropbox account credentials. When they found a match, the hackers proceeded to ramp up spamming from the site’s accounts, with emails about online casinos and gambling sites. It's possible that those same credentials are being re-used this time. Or, it could be a similar but fresh campaign.
In the wake of that incident, Dropbox added optional two-factor authentication at sign-in, with a temporary code that can be sent to a mobile phone. Internally, the company said that it added automated mechanisms to help identify suspicious activity, and it urged users with common or long-used and unchanged passwords to change them.
It also added a ‘security’ page to users’ account settings. This lists the devices that have access to the user’s account and when they last used it, in addition to all browsers currently logged into the account.
The causes of the spam incident have not yet been uncovered, nor is it known how widespread of an issue it is.