

Dropbox users' email addresses targeted by spam? - Xymak1y
http://forums.dropbox.com/topic.php?id=64367
edit: I updated the title to more specifically address the issue.
======
floatingatoll
If the user's computer is compromised, a simple SQLite query run against the
Dropbox configuration database would reveal all Dropbox email addresses in use
by that user.

If the user's email is compromised, the Dropbox confirmation email would be
easy to locate and harvest, either from their mailbox, or their mail hosting
provider's delivery logs.

(Usually, however, malware simply scans for _all_ incoming email addresses,
and then reports them to a central authority for later spamming.)

EDIT: As pointed out elsewhere in this thread, the email address
<dropbox@yourdomain> is trivially guessable by dictionary spam attacks.

There are many routes to this information leaking. It is not at all apparent
whether it's Dropbox yet.

Given that Dropbox security is actively responding in the linked forum, it
seems as though this HN post - submitted by one of the users posting in that
thread as "affected" - is solely to create "buzz", rather than to share news
with Hacker News.

~~~
Xymak1y
As pointed out by users in the forum post, the compromised e-mail addresses
have been used not on just one Dropbox account but several. Additionally those
e-mail addresses were not just trivial guesses like dropbox1@domain.com or
dropbox2@domain.com, or at least they were for me.

Maybe I'm missing something here, but where else could a non-guessable e-mail
address which was never used anywhere else been leaked from if not Dropbox
itself?

~~~
floatingatoll
Offhand, it could be leaked from your hard drive or any backup thereof, from
email stored on any of your desktop or mobile devices, or from your email
provider's mail stores or mail logs. There's probably other ways too.

EDIT: Apps. Any app you've ever authorized to use your Dropbox account could
have leaked the email address - for instance, via plaintext logs, or malicious
behavior, or well-intended but stupid behavior - by writing the email address
in plaintext to disk, or uploading it to a remote server and then losing
control of it there.

------
dr_faustus
Just searched in my Spam folder for the email address I only use for Dropbox
et voilà: I got the spam messages mentioned. After the password-gate last year
([http://blog.dropbox.com/index.php/yesterdays-
authentication-...](http://blog.dropbox.com/index.php/yesterdays-
authentication-bug/)) this is the second major security breach by a company I
(and many people I know) have a lot of data entrusted to... This really sucks!

Whats even worse: The first reports came in (from users!) over one day ago and
the forum thread seems to indicate that they still have no clue what happend!

[Update] One possibility might be, that dropbox is not the culprit after all
but that the spammers started to realize that people use those service-
specific addresses more and more and they just send out emails to [some-
service-name]@[some-domain]. At least my address is dropbox@[mydomain].

So lets hope for that...

~~~
thoughtsimple
Any response from Dropbox yet on this?

Given their previous problems, you would think they would be on top of this
immediately.

~~~
frossie
Page 2 of the OP, highlighted comment, quote:

"Hi all,

We are actively investigating your reports. If you have any additional
information, please email security@dropbox.com, and we’ll be sure to follow up

Joe"

------
bradleyland
While it appears plausible (likely, even) that Dropbox is the source of the
disclosure, it's not verifiable as fact until someone identifies the method
used to obtain the email addresses. This makes the title inappropriate.

Malware frequently targets address books and browser forms as a means of
harvesting email addresses. Not saying that it can't be Dropbox, and I'm not
saying that it's even unlikely, but years of troubleshooting have taught me
not to name the root cause until I can verify it myself. This is even more
true when you're putting someone else's reputation on the line.

~~~
wlesieutre
It also often targets specific applications to steal credentials from. I know
there have been badwares that harvest saved Steam account names and passwords
(hopefully they're stored more securely now, but who knows?), and the same
could be true for Dropbox email addresses.

The address book scenario or dropbox breach both seem more likely, but it's
worth keeping in mind.

------
joealba
A quick browse through my domain's catchall spam folder shows an e-mail
addressed to techdirt@mypersonaldomain. I don't have a techdirt account -- nor
have ever used this e-mail address anywhere. Yes, spam bots make guesses,
folks.

The Internet would be a better place if people would stop, take a deep breath
and think before they type.

Good idea: Let the dropbox folks know that you received spam to a custom
address tied to their service and let them look into it, whether it be a
directed spam campaign or a possible leak.

Bad idea: "OMG!!1! Dropbox is pwn3d! Admit it! Apologize for your wrongs!"

------
ecaron
I don't see any confirmation in the forum that the "e-mail addresses of users"
was leaked by Dropbox. It also appears to be mainly Euro-centric accounts. So
while there is certainly a problem and it is very likely originating with
Dropbox, the title is quite misleading and overly condemning given the known
facts.

~~~
Xymak1y
I've been personally affected by this leak. All the e-mail addresses that I am
now receiving spam on have only been used for Dropbox purposes and nothing
else. In addition this was over a year ago. So - email only used for dropbox,
last transferred over the web a year ago: where else would it have been leaked
from?

// I did change the title to not mislead readers.

------
adanto6840
I use a specific "MYNAME-dropbox@MYDOMAIN.com" email address for Dropbox and I
can confirm that my Dropbox-specific address has NOT received any SPAM
messages.

The only messages that have ever been sent to that specific address are from
Dropbox themselves...

~~~
moepstar
My generic @gmail.com email address has yet to receive any casino specific
spam either - and i'm from .de so it seems it has been guesswork on the part
of the spammers?

~~~
moepstar
Ok, to reply to myself there really seems something wrong with Dropbox...

The email-address i signed up with and the one that is attached to my account
is @gmail.com

However, i've recently invited 2 people with my personal @gmx.de email (using
the iPhone app) and guess what...

I've got Euro Dice spam in my spamfolder there :(

------
gingerlime
I've had the same issue with box.net a few weeks/months ago. I only signed up
for their service and never really used it, and I used a one-off email address
that is randomly generated and used only for the service. I do this regularly
now. With each service I subscribe to, I first of generate a unique random
email address, so if I start to get spam, I can either block this address
only, or at least know where it was leaked...

------
dhyasama
My favorite part of the support forum is the suggestion to submit a ticket and
it will "usually" be addressed in 1-3 days.

~~~
antoko
to be fair that wasn't a post by dropbox staff just a random user.

------
TomGullen
Here's one way to get people's email addresses. For what it's worth, I emailed
DropBox about this a long time ago (months ago) and didn't even get a reply to
my email!

If you use your DropBox referal code, on this page:

<https://www.dropbox.com/account/bonus>

You will see a list of peoples email addresses that clicked the link and
signed up. Unbeknownst to them you have their email addresses.

We have hundreds of these email addresses in our account as we have been
promoting DropBox on our website for a long time. The referral status page
also shows information about how far through the install they are, when they
signed up etc.

This is bad because it makes phishing quite easy.

Perhaps not the source of the spam, but nonetheless still a bad execution in
my opinion.

------
justauser
But this doesn't mean anything though right since all encryption happens
clientside right? Oh...wrong service. This is Dropbox so they have the key on
their end.

~~~
awayand
makes it hard to deduplicate encrypted data maybe?

~~~
justauser
Explain that to users AND businesses who trust Dropbox with sensitive
information.

~~~
Nanopy
My sensitive information is in a truecrypt container...does dropbox market
itself as a business backup solution, or just consumer?

