Posts of frustrated users are pouring in at the Dropbox forum about receiving spams at email accounts connected to Dropbox. Posts such as the following have been coming in since yesterday.
since today, I receive spam from [website link clipped] to an email address, that is in use at dropbox only (email@example.com).
So I guess you have a security problem with your useraccount data. And this sucks a lot.
Although it is possible for spamming software to randomly select email addresses to send spams, the number of affected users indicates some kind of breach on Dropbox’s side.
The initial reply from the Dropbox support was as follows,
Generally, it is possible that these email addresses got released to the general population when you either shared a folder or sent a referral invite. When you send these to other people, your email is attached in the reply-to field and it is possible that a compromised referral could have gotten their address book stolen by spammers. This is the most likely scenario.
But, apparently, users who haven’t used the referral system have also been receiving spams. This spam wave might be a result of a compromise of Dropbox’s mail server, but we can’t be certain of it yet. Last year, a security glitch had allowed anyone to login to any Dropbox account with an incorrect password.
We have contacted Dropbox to know more about the situation, but haven’t heard from them yet.
UPDATE: A spokesperson for Dropbox has sent us the following statement.
We‘re aware that some Dropbox users have been receiving spam to email addresses associated with their Dropbox accounts. Our top priority is investigating this issue thoroughly and updating you as soon as we can. We know it’s frustrating not to get an update with more details sooner, but please bear with us as our investigation continues.