
Why was my email leaked? - chmars
https://forums.dropbox.com/topic.php?id=97303
======
inovica
Unfortunately I have seen their customer service go downhill recently. Not
sure if they are having capacity problems or something. 2 weeks ago I signed
up for a trial of Dropbox Teams and it said that after the trial I would be
dropped back to my Pro account. I cancelled the trial as had made my mind up
not to do it and it dropped me to a free account. Several emails to support,
the account manager I'd been provided as part of the Teams setup and I still
don't have my Pro account back and have had zero feedback from the. The only
email I got was this one which is ridiculous:

Hi,

Thank you for your support request. Recently, we have been receiving a high
volume of support requests and haven't been able to get back to you within a
reasonable amount of time.

The volume of inquiries we receive on a daily basis prevents us from
responding to all requests. Although requests from Pro and Teams users will be
given priority assistance, we will do our best to get back to other inquiries
when possible. If you are not a Pro or Teams user and you're looking to
resolve your issue before we can respond, you may want to check out:

<https://www.dropbox.com/help/>

If you need to restore a large number of files and are unable to do so, please
visit the following instructions to help us speed up the restoration for you:

<http://db.tt/2QPImJ3g>

If you are still experiencing problems, please reply to this message. We will
try our best to get back to you, however we cannot guarantee a response. We're
very sorry for the inconvenience.

Regards, The Dropbox Support Team

~~~
revelation
From this forum "experience", it seems they have copied the Google model of
service. They offer the support forum as a major source of support and promote
heavy users to moderators or give them some other special flair. Mind you,
normal users, without any inside access, information or capabilities. These
users then spend their time flagging down support requests and blaming the
posters.

~~~
wpietri
The victim-blaming was shocking to me here.

The bit where Andy Y. says, "Oh, some spammer just guessed it" was funny. As
if spammers needed to do dictionary attacks against the sort of tagged
addresses that 0.1% of people use.

But it became hilarious when he said the same thing to the guy who uses
10-random-character tags. As if they would hit upon two different Dropbox
addresses like that before the sun cooled to a cider.

The original complainant is much more patient than I am. If that's what I'd
gotten as "support" on a paid service when reporting a security breach, I
would have closed my account and told them to get fucked.

~~~
unreal37
To defend Dropbox here, those people are forum moderators and not employees of
Dropbox. The first Dropbox employee to respond specifically apologized for
those responses. Jumping on Dropbox for this is just going to harm other
companies responding to customer support requests in a timely fashion before
lawyers get a chance to review...

~~~
potatolicious
> _"those people are forum moderators and not employees of Dropbox"_

They're _official representatives_ of Dropbox, even if they are unpaid. Their
behavior is entirely on Dropbox, and the fact that Dropbox has farmed out its
customer support to unpaid amateurs is possibly a worse realization than the
fact that the clueless person was not an employee.

~~~
res0nat0r
Eh not really. They are community volunteers. The best part is that they can
give free support in the forums without pay, and then when something esclates
and they've done something wrong an actual employee can wash their hands of
the situation (as they've done here) by stating they aren't actually employed
by the company.

So it's a win win for Dropbox. Free forum support for low level day to day
forum chatter and easily absolvable of any wrongdoing if they screw up.

~~~
gokhan
That's the price of trying to provide a vital service free with some clueless,
non-paid "customers". I mean, frontpage of HN with zillion upvotes and
comments, after you fail to support customers.

------
Khao
The way the moderators handled this was pretty damn bad. Two different users
tell the moderator they use UNIQUE e-mail addresses for dropbox only, and they
received spam roughly at the same time and yet the moderator answers by
assuming the users are idiots.

~~~
kybernetyk
Yup, especially Chris' behaviour is a no go. I don't know how the mods are
affiliated with dropbox but if they are employees I wouldn't let them have any
customer contact at all.

~~~
benhalllondon
Yeah, Chris seems a bit of prick:

    
    
        "Just the fact that you listed your emails says it all."

~~~
Scramblejams
Looks like Chris is battening down the hatches. His linked site[1] was up
about an hour ago, but it redirects to a placeholder now. Also, he's deleted
all but his first comment, wish I'd taken a screenshot of his other comments.

Tangentially related: It drives me nuts to deal with people whose default
answers are "no," "you must be doing it wrong" and so on. Particularly the
moderators who insisted someone must have guessed a ten digit random email
address -- because Dropbox and its vendors couldn't POSSIBLY have ever done
anything wrong, and it's MUCH more likely that a spammer magically brute-
forced a 10 billion combination address! Grrr. I'm not sure what the right
word is to describe that sort of personality, but such people should never
have contact with customers. Or with me.

[1] <http://cjwworld.cu.cc/>

~~~
jdmichal
It's not just a 10-character address. It's a 10-character address on a non-
standard domain (or so the conversation led me to believe). All without
getting another email on that domain's catch-all address. If it was a spammer,
who randomly-generated addresses on this domain, I would imagine that they
would have been shotgunned across the whole domain. Not just hit that one
single address.

------
chmars
Sean B.:

 _Hi there,

We’ve been looking into these spam reports and take them seriously. Back in
July we reported that certain user email addresses had leaked and some users
had received spam as a result. At this time, we have not seen anything to
suggest this is a new issue, but remain vigilant given the recent wave of
security incidents at other tech companies. If you’ve received spam to an
email account you only use for Dropbox, please send the message (including
full headers) to support-security@dropbox.com to help our ongoing
investigation._

 _Separately, we want to apologize for some of the dismissive responses from
our volunteer moderators - since they aren’t employed by Dropbox, they don’t
have visibility into issues like this. We want you to know that we've taken
these reports seriously and began our investigation immediately._

[https://forums.dropbox.com/topic.php?id=97303&page=2#pos...](https://forums.dropbox.com/topic.php?id=97303&page=2#post-530452)

~~~
acoleman616
Coincidence that it came (relatively) right on the heels of "and you're on
HN"...?

~~~
benologist
A bunch of employees probably saw it here first... if you worked there would
you prefer to hang out on their support site or HN?

~~~
badgar
If you're an engineer, HN. If you're responsible for keeping users happy, the
support site. But as usual, it seems the only people employed at Dropbox
responsible for keeping users happy is the damage control department.

~~~
snikch
That's a very naive response. You cannot expect a community of DropBox's size
to be actively monitored by paid employee's in a manner like a public forum.

------
markdown
While I can't speak for Dropbox and this specific case, we had angry customers
like this two or three years ago.

Obviously we were very concerned, and spent days poring over server logs and
trying to figure out where the breach was.

Turns out the service we used for newsletters (icontact) had been hacked. They
never emailed to let us know. (They had a blog post up for a few days, then
removed it, the slimy bastards!)

Since then we've used MailChimp, and had no problems.

~~~
kalleboo
We were also hit by the iContact breach.

We lost a lot of trust with customers since we had a kind of low-rent image to
start with (discount software bundles). The worst part was they never really
owned up to it - the blog post just said they were "investigating it". They
never followed up, then they redesigned their site and the blog post
mysteriously disappeared. Assholes.

------
Mahn
I just checked the spam folder of a gmail account I used for dropbox.
Throughout the years I'd ocasionally (maybe once every two months or so) check
the spam folder merely out of curiosity, but it was practically always empty.

Perhaps this is just a huge coincidence but I see three spam emails sent today
plus another two sent this week. Some of them have cc recipients which seem
legit addresses of other people, but I can't identify them. I never used
Zendesk by the way.

Edit: here are the senders, in case it helps: no-reply@adsl.hu, no-
reply@velkommenhit.no, no-reply@wdl.fr, no-reply@tataidc.co.in, no-
reply@variationfm.com. Though it looks like these addresses may have been
spoofed... the sender name is "{%FROM_NAME%}" in all of them.

Edit 2: It turns out Groupon Germany (former citydeal.de), which I checked out
once with the same address, is responsible from what I can gather (link in
german, but everything matches, company has yet to say anything):
[http://hukd.mydealz.de/diverses/groupon-verkauft-
kundendaten...](http://hukd.mydealz.de/diverses/groupon-verkauft-kundendaten-
wer-h%C3%A4tte-gedacht-175655?page=2)

~~~
neogodless
Whoa - yeah my spam folder has two sent to "dropbox.com@<mydomain>.com"

From ".Вишняков@direct.nacha.org" <kohinoorwm87@lifesep.com> and
".Белов@fdic.gov" <runoffiz@smarterbythemonth.com> with subjects of "Declined
Direct Deposit payment" and "Update of the security software is required!"

I do get lots of "random" spam sent to addresses like
"fcbb3a43@<mydomain>.com" but I can't believe the moderators really think that
a "random" guess would land on "<domain>.com@<mydomain>.com" _sigh_

~~~
sordidfellow
Those look exactly like the phishing emails I received on my dropbox-specific
email address

------
WestCoastJustin
Brutal customer service! Especially since a user is giving you a heads up
about a possible breach and leakage of _their_ personal information. I can
fathom these types of replies if this was behind closed doors, but when you
have an open forum like this, you are asking for trouble with snotty replies.

This forum should be a PR beacon for awesome customer support!

~~~
neilkelty
Those aren't Dropbox employees.

~~~
alexanderh
This is correct, but also irrelevant.

They are representing the company as forum moderators whether they like it or
not.

I agree with others that they should at least have the word "Volunteer" in
their forum account title. Not just "Moderator".

You and I know they aren't dropbox employees, but I wouldn't expect most
people to assume that. Thats a big problem.

------
jewel
I also give out a separate email address to every service I sign up for. So
far geico, mint, and dyndns have lost or sold my email address. I haven't
gotten any spam on my dropbox account, but I've only had an account since
2012-10-02.

I don't run any spam filtering, at all, and my email box is the catchall for
my domain. These aren't just lucky guesses.

~~~
Khao
I'm surprised to see mint in that list. Have you contacted them in any way
about this?

~~~
purephase
Why are you surprised? It's a free service. I assume that my data is for sale
for every free service I use.

Also, the parent is Intuit which, IMO, is not exactly tops when it comes to
data security and privacy.

~~~
Khao
Because the point number 1 on their Privacy and Security Policy is "Your
Privacy is not for sale" : <https://www.mint.com/how-it-
works/security/policy/>

The way it is worded, it seems like your e-mail may be used by Intuit for
promotion or by third-parties bound by the same privacy policies, but
certainly not sold for spam.

~~~
k3n
> [...] it seems like your e-mail may be used by Intuit for promotion or by
> third-parties bound by the same privacy policies, but certainly not sold for
> spam

Same difference in my book. If you are not the original entity that I supplied
my address to, and I get email from some 3rd party, that's SPAM. Sure, you
could argue that it's in the T&C and that I "agreed" to it, but it's still
SPAM the way I see it. And since it's a 3rd party, then that'd mean my
information was sold (or otherwise bartered/traded).

~~~
Khao
For me there is a clear different between "Hey! You use Mint, we thought you'd
like [finance product X] Try it free!" and "Your paypal account has been
compromised, log here to reset your password : www.paypalscam.com/reset"

------
xer0x
Holy crap Dropbox's moderators make me want to terminate my account with them.

~~~
EvanAnderson
Reading that thread was painful. I always use custom one-off email addresses
for services I sign-up for and. When I've attempted to report disclosure of my
email address I'm almost always met with major skepticism. It's maddening.

I used to enjoy the reactions I'd get from store clerks and telephone reps
when I give them my email address. "Oh, how you have an email address with our
company name in it?" In recent years the reactions have turned kinda hostile,
"What is your connection with our company?" and once "You can't have our
company name in your email address." I gave up fighting and now I just use
random strings.

~~~
nwh
I recently had to sit through a customer rep read a 32 character long
alphanumspecial email address out to me for "security reasons". Bet she was
glad I didn't use usicode.

~~~
saraid216
You might consider just picking one or two random words from the dictionary.

~~~
signed0
That sounds like a fun idea for an app/service. You provide it with your base
email address or custom domain and it generates a couple random words and
keeps track of what service you used it to sign up for.

~~~
GhotiFish
I spent a little time thinking about this concept and how it relates to just
having dummy account you control, for giving to services you don't fully
trust.

As long as you use a secure password, and you don't use the same one. I don't
see alot of difference, but the ability to sandbox each service to a list of
email accounts, so that the attacker never knows the master account, would be
an extra layer of security.

Utility exists here. I just don't think there's enough utility to justify the
work.

~~~
nwh
I use something similar already. I've a domain that is used purely for my
email. Normal addresses like webmaster@ are rejected. A script on the server
takes the domain I am registering for a service on (eg "google.com"),
generates an random-looking but deterministic address, and creates an alias
for that address to my real inbox.

End result is that everyone gets a unique email that can't be guessed, I can
nuke an address as soon as it starts sending me spam (often) and my true inbox
is typically completely clean.

I initially made the mistake of trusting my bank and utility billing systems
with my real address. Turns out my power company had their database
compromised, and when I called to inform them they refused to believe me (like
Dropbox).

~~~
LancerSykera
A good five years ago I got two phishing emails to two unique addresses that I
had used to contact a local bank. They also refused to believe me, and it was
basically my fault for not securing my computer. Somehow.

~~~
nwh
Well that's terrifying.

------
Havoc
Damn thats weak. Moderator "Andy Y." doesn't seem to grasp wth is going on at
all and the rest of the moderators blatantly ignore ~5 people reporting
_unique_ email addresses being leaked.

So much for Dropbox...

------
ph33r
Why do people continue to upload and trust their data to this company? I
closed my Dropbox account back in 2011 when they had that 'bug' that made
passwords for any account optional for four hours.

Since then they have had more security problems/breaches, and admitted to user
info being stolen.

Today's news isn't anything concrete... but their moderators were jerks, which
makes the company look bad whether they are employees or not.

~~~
johnward
What alternatives are there?

~~~
ph33r
Google Drive, SpiderOak, SugarSync, Skydrive, Amazon Cloud Drive, Box.net.

~~~
bsg75
Which of these use client side encryption?

~~~
danielsamuels
There's always <https://mega.co.nz/>

------
mnicole
Déjà vu times two: <http://news.ycombinator.com/item?id=4264330> &
<http://news.ycombinator.com/item?id=4255927>

------
lucb1e
Sean, who also posted in the forums on page two and apologised for the
moderator's behavior, contacted me by e-mail to send him the spam e-mails that
I received. It looks like they're taking it seriously now :) Needless to say,
I provided all details that I have (connection log, full mail source).

For those who are curious, this is what I received:

 _Hi Luc,_

 _My name is Sean, I work on the User Security team at Dropbox. We'd like to
look into the issue you repoted on the forums. If possible can you forward the
emails in question directly to me (xxxx@dropbox.com)._

 _Thanks._ _Sean_

------
kiwim
> Just the fact that you listed your emails says it all.

Wow, that moderator is really professional.

------
gottagetmac
I was skeptical at first, but the rest of the evidence makes it look like it's
not a coincidence.

~~~
lucb1e
This is most definitely not a coincidence. I can tell because this totally
explains the spam in the past few days to my school e-mail address. I too use
an e-mail address unique for everything, so I thought school leaked it, but
this is the only plausible alternative (had to use the school e-mail address
on Dropbox for the Space Race a while ago).

------
nathanb
Has anyone who created a Dropbox account AFTER July of 2012 noticed this spam
increase?

If not, it may be that the compromised list of addresses from summer of last
year has finally reached evil hands.

~~~
simmons
For what it's worth, I signed up for a Dropbox account in late December, and
have not received spam at the unique address I provided.

------
lucb1e
Aha, that explains it! I've been contacting school about my e-mail address
being spammed; I was certain I never publicly posted it. I used my school's
e-mail address for the Dropbox Space Race a while ago.

~~~
simonster
There are several reasons you could be getting spam that aren't related to
Dropbox. Without knowing your address, it's possible that the spammers
randomly guessed it. Another possibility is that a friend's email or Facebook
account was compromised, exposing your email address. (I get a disturbing
amount of spam this way.) The cases described in the Dropbox forum are more
convincing because the addresses were used only for Dropbox and don't seem to
be guessable.

~~~
badgar
It fascinates me how desperate folks are to excuse Dropbox. I wonder why - is
it because they're a startup?

~~~
pixl97
No, not because they are a start up, but because it's really damn easy for
$random_internet_user to get compromised and not realize it.

Did $random-user share his dropbox email with someone else who was
compromised?

Did $random-user save his dropbox email on a large service (like Yahoo), which
he had compromised?

Did $random-user not update Java, Adobe, Windows, etc and have his machine
compromised? Or in some other way leak information?

I'm not in any way excusing Db, but uncritically blaming them without other
possible scenarios seems just as asinine.

~~~
badgar
> I'm not in any way excusing Db, but uncritically blaming them without other
> possible scenarios seems just as asinine.

Except you're wrong here - they've admitted they leaked all these unique email
addresses, and it isn't actually some cataclysmic combination of coincidences
that all these users were compromised. As would otherwise need to be the case.

------
techpeace
They aren't letting me post to the forums, but I can also report receiving
spam, but only on an address I formerly used with this account, not my latest
address.

------
adders
I use a catchall and give different email addresses to everyone. I've received
3 spam emails in the past month to my dropbox account, but they aren't the
only ones with problems, for example the following are the number of spams for
various sites: * 2 emails Foursquare * 6 emails Groupon * 6 emails Rackspace *
25+ emails Ticketmaster * 50+ Absolute Radio (UK Radio station)

Absolute Radio was hacked, not sure about the others.

------
AbhishekBiswal
The Moderator thinks that the user who created that post and his supporters
are idiots. How would someone get to know that a user has an email
lala.dropbox@xyz.com, if the user hasn't used it anywhere else?

What happened to you Dropbox?

------
robk
Just checked my spam folder and sure enough 5 spam emails to my unique dropbox
address.

~~~
michaelhoffman
I just did the same thing. Two phishing scams sent to my unique Dropbox
address, including one from the nacha.org scam mentioned in the original
thread.

------
driverdan
I suspect this is a _MUCH_ larger problem than people realize and _not_
Dropbox's fault.

I've noticed in the past few months I've been getting spam to a lot of site
specific emails I've used under my Gmail catch all. It's as if a spammer had
access to all email addresses I've used for incoming mail. I've talked with
friends and found some have had the same problem.

So where are spammers getting the email addresses we've received email from?

1\. There's a vulnerability in Gmail / Google Contacts.

2\. Some widely used app I've allowed to access my email has been hacked or
has been selling email addresses.

3\. An Android app that requires access to my email is compromised, either
intentionally or unintentionally.

The least likely one I haven't mentioned is that many independent companies
have sold my emails which I find very unlikely.

So what's causing this to happen?

~~~
badgar
> So what's causing this to happen?

4\. You're leaking your own email addresses.

Start by looking for malware on every device you touch.

~~~
driverdan
I can guarantee you that none of my devices contain malware. Like I said, a
trojan Android app could be a possibility but seems unlikely.

~~~
diminoten
If you have the ability to guarantee that _any_ device is malware free, you
could make a _lot_ of money in the security industry, as no one else in the
world has such a power.

~~~
driverdan
Who said that? I said _my_ devices, not _any_ device.

~~~
diminoten
Still.

------
codyko
That Chris guy should be fired. A laughable excuse for customer service.

EDIT: Looks like they're volunteers. But still.

------
DigitalSea
The part that made me laugh about all of this is the fact the moderators are
saying that spammers most likely guessed all of the unique email addresses
people are complaining have been spammed that are only used for Dropbox. That
doesn't sound plausible at all, especially considering it's multiple people
complaining of being spammed here.

Dropbox's customer service has really gone downhill, what happened?

------
Foomandoonian
Dropbox should rename mods 'Support Volunteers' or something, just so users
know what kind of help they're getting.

I don't understand why the mods were so quick to defend DB, especially since
they don't appear to have access to any privileged info. Dropbox has over 200
employees now and whatever precautions they take an occasional slip-up seems
entirely possible.

------
pyvek
Everyone who received the spam should pastebin the emails along with the
header and share them for comparison. If those spam messages are found to be
similar then it can be pinpointed that they all have originated from the same
person/group and it was no usual hit & miss technique by the spammers which
the moderator is contemplating about.

------
TorKlingberg
This post in the forum thread may be on to something:

"I also have a unique dropbox email address, it was compromised on 2/6, but I
tracked it down to a friends system that was hacked. I had shared a dropbox
folder with them, they got the email from my dropbox address. Virus on their
system collected my dropbox email from their system."

------
FuzzyDunlop
This makes me think about why I've been receiving spam at my professional
email, which I tend to use quite sparingly.

------
deeqkah
You know, it's funny because i got a very clever Pay Pal phishing e-mail this
morning, linking to a PHP script hosted on renault-astrakhan.ru

What's worse is that i sent invitations to dropbox time ago to people that i
have to now contact and say "Please be aware of this phishing e-mail disguised
as a Pay Pal e-mail."

+1 for an alternative service, to be honest. Dropbox is very well done, but
this is a good reason to stop using their service if they can't secure their
clients' information.

It would greatly benefit them if they found the root of the problem, and
reported if it were indeed an issue with them or one of the clients for
dropbox.

------
ddrager
What about the possibility that end-users' computers are breached?

\- User/pass is saved in the 'Remembered password' area of browser (this is
decodable by malware) \- Email is screen-scraped by malware \- Email is
sniffed during login at a wifi hotspot (Password is encrypted, user/email may
not be) \- 3rd party apps that are linked to your dropbox account

I'm not saying that this wasn't caused by the database breach, but there are a
TON of reasons that this could have happened. Some on Dropbox, some on the end
users.

Don't expect your email address to stay private. That's what passwords are
for.

~~~
danielweber
Yeah, it's tough to really know who leaked. Alice and Bob both know secret S,
and each can blame the other if S is leaked, but neither of them really knows
who did it.

There have been some research projects where unique and unguessable passwords
were made in laboratory conditions and securely given to sites to see if they
managed to leak. I trust those a lot more because they often lock up the email
addresses and never use them. From what I recall some big companies did give
out addresses they promised not to, but that's not a blanket condemnation of
all businesses.

------
hakaaaaak
Fortunately, GMail handles almost all of my spam, so this stuff is a non-event
for me. But I don't like that they may have been a security breach. Thanks to
whomever HN'd this so it would get attention.

------
lawnchair_larry
I have a unique email address for dropbox that has not received any spam. I
created it a couple years ago but only used it once briefly.

~~~
claudius
I didn’t get any spam either, but then a short grep through my mail.log showed
this:

    
    
      2013-02-28T18:05:18.865406+01:00 nfc postfix/smtpd[14995]: NOQUEUE: reject: RCPT from bl14-172-78.dsl.telepac.pt[85.247.172.78]: 504 5.5.2 <discus>: Helo command rejected: need fully-qualified hostname; from=<fuzzilyjg755@lanuschny.de> to=<X_dropbox@example.net> proto=ESMTP helo=<discus>

~~~
spydum
It is as if spammers don't even try anymore! Bogus helo is soon 1990s..

~~~
claudius
Postfix’s reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, and
reject_unknown_helo_hostname really work wonders for me – but then it is only
a small server with 1.5 users and a total of about 300 delivery attempts a day
(85% rejected, 5% later classified as spam, 10% actual email).

------
johngalt
Is that dropbox@domain.com email listed on any of your phone contacts? Ever
had a virus on a machine that has sent or received an email from that account?
How many people know that account exists? Only one of them needs to have a
careless attitude about permissions.

~~~
lucb1e
Nope, nope and nope.

~~~
jasonlotito
See, the problem with that email address (dropbox@example.com) is that it
tells me that I can try amazon@example.com, paypal@example.com. So, if I get
access to an email for somerandomsite@example.com, trying these others is
fairly trivial. It takes no time to suddenly generate an effective list of
emails to try.

The point being, using a pattern is easy to discover. Even if that pattern is
a random set of characters.

Would spammers email this? Yes. Why? Because they bought an email list that
someone generated using this method.

Not saying this is what happened here, but if you've entered in emails on a
site, you open yourself up.

~~~
lucb1e
Nope. I didn't use dropbox@mydomain but another string that was not guessable.

And how is a random pattern easy to discover? Quite coincidental that of the
hundreds of addresses, just the three that are used for Dropbox are receiving
spam in the past few days.

The spam I'm receiving is the kind of spam that you attempt to send to a non-
tech audience (obvious phishing is obvious). The addresses were harvested, not
carefully picked by looking at other addresses I used with my domain. The word
"dropbox" is not even in the spammed addresses; they were school addresses. I
never publicly mentioned I even went to that school. It are also three
variants on the school's name, incredible that they picked just these three to
spam.

------
reader_1000
I checked my e-mail accout that I used for dropbox and There is a spam mail
coming from ...@direct.nacha.org which is the same domain which one of the
customer in forum received. So it seems they are right, this is not a random
guess.

------
tlrobinson
Why is Dropbox letting volunteer moderators represent them so poorly? Dropbox
is a grown up company now, train and pay a couple people to moderate, or at
least make it more clear they're volunteers not employees of the company.

------
unreal37
This dropbox forum is exploding. Fascinating to watch.

As an aside, who knew so many people had "dropbox only" email accounts. One
guy with 10 random letters/numbers he uses only for dropbox. Wow. Is this a
thing?

~~~
jzse
Email standard lets you use a random string in the adress if you type + after
your "name".. For examble you have adress hehe.haha@gmail.com, and now you can
give dropbox hehe.haha+dropbox@gmail.com and still get the mails that dropbox
sends to the same hehe.haha@gmail.com box while "send to" still remains
hehe.haha+dropbox@gmail.com.

This is the best way (that I know) to find out where your adress was leaked.

~~~
efdee
Since it's a standard, it's worthless. Any spammer worth his salt would remove
everything after the '+' sign from the email address.

------
uptown
What about a possible leak from a 3rd party? Did you, by chance, use Mailbox?
Do third-party apps (1Password, etc.) that sync using Dropbox get access to
your email address?

------
alan_cx
I have to say, accusing Dropbox of leaking in the title of the thread, with
out any actual basis, since it is possible that the user cocked up somewhere,
is not the best way to get polite support. Yes the mods could have been a lot
more professional, but I can see why their backs were up and why they would be
defensive.

On the other hand, too often as a user I feel I have to walk on egg shells to
avoid upsetting some over sensitive petal of a forum mod. One misunderstood
word and you are banned for life, with no appeal what so ever.

All of which leads me to think there should be some third party arbitration
for this sort of thing.

~~~
__david__
No, it's perfectly fine to accuse in this case. It's very unlikely for
something like that to be guessed and the dropbox moderators should understand
how email works or else they shouldn't be responding.

------
bshanks
Slightly off-topic, but what kind of forum software does Dropbox use? I like
the clean look and the use of the blue background for the Dropbox employee.

------
trekkin
That's why client-side encryption is useful - even with the company (Dropbox)
not leaking/selling their users' data on purpose, it is easy to inadvertently
leak it.

Proper client-side encryption, while often not appropriate in critical
environments, is useful to protect against this type of situations.

Disclosure: I run AES.io

------
weix
why? welcome to the cloud world!

------
dimadima
I'm all for busting some balls, especially if we're talking Dropbox. But shit
like this happens all the time, and it's not like by busting some balls here
we're going to improve the situation broadly speaking.

It's really absurd to expect that your information will actually be
safeguarded by some entity that isn't you. As soon as you give any data to
anyone, it's gone. You should pretty much assume it's public and get on with
your life. Did ya'll catch that blog post up yesterday from the kid who
deleted the USERS table at his job, because he was developing against a
production database and running queries against it by hand? Experience has led
me to believe that's the situation at like all things, everywhere, all the
time. Ass clowns emailing around spreadsheets with user data; people getting
malware installed on their Windows shit and entire infrastructure's data being
compromised. It's a joke. Let's just always remember that while we're busting
balls. But if you value your data, don't give it to anybody, ever.

