
Email-Address leaked from Dropbox - mjfern
http://forums.dropbox.com/topic.php?page=4&id=64367&replies=111#post-455535
======
pinko
It might be a good idea for large companies like Dropbox--or frankly, anyone
storing email addresses--to include a handful of (long, random, unguessable)
canary addresses in their user DB which sound a high alarm if they ever
receive email.

------
derda
Just two wild guesses from my side, as I don't think that the whole database
got compromised:

1\. Some Accounts got compromised (phishing, trojan, whatever). In those
account a list of all referral email-addresses can be seen. Those addresses
have been targeted.

2\. The Dropbox Application stores information about the email-addresses of
people you have a shared folder with somewhere on your machine. This data got
accessed by some kind of malware. Maybe this information could also be
accessed trough the webinterface of compromised accounts (I am not sure about
that).

Even a small-ish number of compromised accounts could lead to many addresses
being leaked. I for example have about 15 referals and share folders with
about 50 people.

------
prayag
It's not certain that these leaks were FROM Dropbox. These might well be but
there is no confirmation of this. This was discussed here a few days ago.

<http://news.ycombinator.com/item?id=4255927>

~~~
pygy_
Further down the thread, someone just started receiving spam in his
dropbox@hisdomain address. I assume that the address was exclusively used for
Dropbox...

He receives the exact same spam at his linkedin@hisdomain, which was
previously leaked.

A coincidence is always possible, but the timing is suspicious.

~~~
s_henry_paulson
If you read the whole thread, there are many people with "dropbox only" e-mail
addresses that are being spammed, including some that are claiming that the
address does not include the word "dropbox".

~~~
bandy
Are these people aware of the Rumplestiltskin strategy? dropbox@, linkedin@
both fit that, but what about the other addresses? Unless your e-mail address
resembles what's currently considered a Strong password, you're going to get
spam.

------
elithrar
This has not been confirmed. As Dropbox has stated, they are still
investigating.

------
jayfuerstenberg
Hope my spam filter can handle any higher tides that might result from this.

