Early Thursday, Dropbox user Forrest F made an exceptional claim on Dropbox’s support forums: “You guys leaked or gave out my email. Why?”
Forrest, it turns out, had employed a trick common among cautious internet users — he used a unique variation of his email address, otherwise known as an alias, whenever he signed up for a new service. That way, the thinking goes, he could see if any companies he trusted with his information were sharing it. If spam arrived in his inbox, he could see that it was sent to an alias, and track it back to its source. Recently, he started getting spam — and it came from his Dropbox address.
A moderater quickly addressed the claim, saying that Forrest likely hadn’t been hacked. “A lot of spammers try hit-and-miss techniques,” he wrote, “and you’re likely just a random victim rather than a whole mass leak of tons of DB users’ emails.”
Forrest didn’t buy it: “I have several emails set up with several sites some for even a few years,” he said. “But someone, somehow, figured out just this one. Amazing.”
“Right,” the moderator said, “That’s essentially what I was saying. It was a random guess. Dropbox doesn’t give away emails like this.”
But then, what started as a single user complain quickly snowballed. Complaints came rolling in, and many confirmed that email addresses used only with Dropbox had started receiving spam:
One user was sent a single spam message to *three separate* email addresses used only with Dropbox:
Complaints are surfacing all over Twitter too:
As of today, getting lots of spam on all my #dropbox only mail accounts. Anyone else also?— Stefan Frei
Seems @dropbox might have been hacked, tons of spam to my dropbox only email today.— Miles Smith
Seems a lot of people (myself included) have started to receive spam emails and they got our email address’ from @Dropbox.— Delta
Getting spam to a mail which I’m only using @Dropbox. Can someone approve that spammers got access to dropbox account data?— Darky
I just got spam to a bunch of e-mail addresses that I’ve associated only with @Dropbox. Did they have another security breach?— Deozaan
Dropbox, which has not yet responded to a request for comment, was hacked last year — it’s possible that consumer data lost then was just recently re-sold. But if that’s the case, users don’t appear to have been directly notified that their email addresses were exposed. “I was a dropbox user since 2009, and an active user in Summer 2012 when the breach occurred,” writes user Stephen O, “and I did not receive any notification from dropbox about the data breach.”
The spam could also be the result of some kind of proliferation of unrelated malware, which could collect keystrokes or stored information from computers in a way that doesn’t have anything to do with Dropbox — perhaps an undiscovered exploit in a mail client or browser.
The most severe possibility, though, is that Dropbox emails have somehow found their way from the company’s servers and into the hands of a third party.
Dropbox’s terms say that the company “[does] not sell your personal information to third parties,” which is standard practice for large web companies. But the more worrying risk, and the one Dropbox will need to address, is the possibility of some kind of breach, either in Dropbox or in a service or company affiliated with it.
Update: On the Dropbox forums, Dropbox employee Sean B has posted the following:
We’ve been looking into these spam reports and take them seriously. Back in July we reported that certain user email addresses had leaked and some users had received spam as a result. At this time, we have not seen anything to suggest this is a new issue, but remain vigilant given the recent wave of security incidents at other tech companies.