Another day, another leak. Although in this case not only have users discovered they couldn't log into their Dropbox accounts, it appears that many email address used for the service in Europe have also been subjected to a large scale spam attack.
Sometime yesterday at around 3pm ET many Dropbox users in Germany, The Netherlands and the UK reported on the Dropbox forums that they couldn't sign into the service and that they were receiving spam from online gambling sites and the like at the email addresses they had specifically created for use with Dropbox. At the time the company declined to comment, but a forum user who self-identified as an employee said Dropbox was investigating the reports.
A few hours later krebsonsecurity reported that Dropbox had finally issued a statement on the situation:
We‘re aware that some Dropbox users have been receiving spam to email addresses associated with their Dropbox accounts. Our top priority is investigating this issue thoroughly and updating you as soon as we can. We know it’s frustrating not to get an update with more details sooner, but please bear with us as our investigation continues.
In a second statement just a few hours ago, a Dropbox employee confirmed that the outage was coincidental:
We wanted to update everyone about spam being sent to email addresses associated with some Dropbox accounts. We continue to investigate and our security team is working hard on this. We’ve also brought in a team of outside experts to make sure we leave no stone unturned.
While we haven’t had any reports of unauthorized activity on Dropbox accounts, we’ve taken a number of precautionary steps and continue to work around the clock to make sure your information is safe. We’ll continue to provide updates.
We also want to let you know that the dropbox.com site outage this afternoon (from 12:35 to 12:55 PDT) was incidental and not caused by any external factor or third party.
Not all Dropbox users have been affected in the countries that were targeted.
Although Dropbox is as much of a victim as the end user, it does make us wonder how so many companies of late are allowing themselves to be open for these kinds of attacks, and how they go about protecting our personal details.