The spam attack and related possible address leak over at Dropbox may be even more serious than we originally thought. According to a message posted by the company over on its forums, they’ve now brought in “an outside team of experts” to assist Dropbox’s own security team in the investigation.
As of now, Dropbox says it hasn’t had any reports of unauthorized activity on user accounts, and it has taken a number of precautionary steps to deal with the issue, but declined to go into further details.
In case you missed it, yesterday we reported that some Dropbox users began to see their accounts targeted by spammers. What was troublesome was the fact that many of these users claimed they were being attacked despite having set up unique and private email addresses that were only being used with Dropbox. If that’s true, it means there’s the potential that the spam attack is related to an address book leak, which could be the result of a hack. Many of the reports came from Dropbox’s international users, specifically those from Germany, the U.K. and the Netherlands. Today, there are now six pages of complaints on the forum site about the spam.
While initially, it was possible that the users were the victims of random spambots being able to “guess” their emails, a malware infestation on their PC that stole their credentials, or even a compromised third-party application, those scenarios now seem far less likely given Dropbox’s admission that it has brought in hired help.
While the spam largely contained messages related to European casino scams, and doesn’t seem to have any other impact beyond annoyance at this point for the affected users, its mere existence is now seemingly pointed to a more definite possibility that Dropbox was actually hacked.
According to Dropbox engineer Joe Gross, the outage Dropbox experienced yesterday was “ incidental and not caused by any external factor or third party.”
If it weren’t for its acquisition of TapEngage, Dropbox would be having a very bad week, it seems.
Note: We’ve reached out to Dropbox for additional details, but it’s not likely that they’ll comment on this beyond what they’ve chosen to publicly share at this point. If they do, however, we’ll update this post.