Earlier this week, users in Europe started receiving spam to their e-mail addresses associated with their Dropbox account, even if they only created the account to use exclusively for the file storage service. Dropbox started investigating and even hired experts to figure out if there has been a security breach. Disappointingly, or reassuringly, depending on your point of view, this third-party group found nothing.
Drobpox employee "Graham A." posted the following updated today on the Dropbox Forums:
We wanted to give everyone another update on our investigation into the reports of spam.
- As of today, we've found no intrusions into our internal systems and no unauthorized activity in Dropbox accounts.
- We've reached out to users who've reported receiving spam messages and are closely investigating those reports.
- Security is our top priority and we'll let you know if we uncover evidence that these email addresses came from Dropbox.
Thanks for your patience. Investigations like this can take time and we're working hard to get to the bottom of this.
Although the spam is being sent to different countries in Europe, it arrives in the user's native language, suggesting this is a very coordinated attack. The spam e-mails advertise different domain names, but all of them have been created very recently, use Russian DNS servers, and are registered at Bizcn. Furthermore, all the different types of spam seems to advertise online casinos.
I speculated earlier that Dropbox could have been hacked, could have seen a leak, could have had its e-mail servers compromised, or there could just be malware on the users' systems. The company took down Dropbox between 12:35 to 12:55 PDT on Monday but an employee said the outage was unrelated.
If you think you are affected, submit a support ticket here: dropbox.com/ticket. I will update you again if Dropbox says anything else regarding the issue.
- Apple iOS in-app purchases hacked; everything is free (video)
- Android Forums hacked: 1 million user credentials stolen
- Yahoo fixes flaw behind 450,000 account hack
- The top 10 passwords from the Yahoo hack: Is yours one of them?
- Nvidia confirms hackers swiped up to 400,000 user accounts
- Minecraft account impersonation security flaw disclosed, fixed