Some Dropbox users have begun reporting that their accounts are under attack from spam, but what’s more troubling is that, in select cases, the spam is hitting accounts where users claim their email address is only used on Dropbox and not elsewhere on the web. In other words, it’s a unique and private email address, which means there’s an increased possibility that the spam may be related to an address leak on Dropbox’s part.
That’s not necessarily the case, however. Spambots sometimes try random emails until they get a hit, the users may have malware on their PCs which has captured their email through other methods (like a keylogger, for example), and there’s a chance that another third-party app which integrates with Dropbox may actually be the source of the problem. Dropbox is looking into these claims right now, according to the latest official word from the company.
The user complaints first showed up on the Dropbox forums, where, eight hours ago, a company representative called “Joe” stated that Dropbox is: “actively investigating your reports” and “if you have any additional information, please email firstname.lastname@example.org, and we’ll be sure to follow up.”
Many of the affected users initially appeared to be located in Germany, and much of the spam comes from a spammer called “Euro Dice Exchange,” from early reports. However some users claim to have received different spam messages, and others outside of Germany (in the Netherlands and U.K., mainly) have also been affected according to both forum messages and tweets. We’re not seeing any reports of Dropbox U.S. users targeted, though. Let us know if you were.
You can see many of the “Dropbox spam?” tweets here, for instance.
Any German dropbox users getting spam? forums.dropbox.com/topic.php?id=6…
— macshome (@macshome) July 17, 2012
— Kev Kev (@CyaeghaUK) July 17, 2012
I am receiving Spam on my dropbox-only Email account. Any explanation for this, @dropbox?
— Linuzifer (@Linuzifer) July 17, 2012
.@Dropbox Just to inform you had two spam emails addressed to my dropbox email address this morning. Same content, but ‘different’ senders.
— Qyv (@PhotonQyv) July 17, 2012
Uhoh, just had spam to email address only used for Dropbox. Has there been any news of security breach there? :/
— Edith S (@wiilassie) July 17, 2012
Lots of spam suddenly coming to an email dropbox@[mydomain].co.uk, which I happen to have used to sign up for a certain service. Hmmm….
— Richard England (@englandrp) July 17, 2012
It’s too soon to point fingers at Dropbox as the source of the leak, despite the flare-up. But we reached out to the company around 45 minutes ago with a request for more details. Dropbox communications can be slow to turn around responses, so we’ll update this post with news as it comes in.
Update, 3:11 PM ET – Here’s the official statement from a Dropbox company representative:
We‘re aware that some Dropbox users have been receiving spam to email addresses associated with their Dropbox accounts. Our top priority is investigating this issue thoroughly and updating you as soon as we can. We know it’s frustrating not to get an update with more details sooner, but please bear with us as our investigation continues.
Update 2, 4:00 PM ET – Various reports of Dropbox being down have been circulating on Twitter and elsewhere (The status page is showing “up” currently.) Estimated outage around 30 minutes, based on Twitter.
Update 3, 6 PM ET: Dropbox says the downtime was unrelated.