When Dropbox received multiple complaints of spam flooding the accounts of some
European users, they immediately went into action and hired an outside security team to run an investigation.
The good news is that the team didn’t find any evidence of a security breach. The bad news is they have no idea why users are getting spammed on their Dropbox only email addresses. They posted this update on their forums:
“We wanted to give everyone another update on our investigation into the reports of spam.
As of today, we’ve found no intrusions into our internal systems and no unauthorized activity in Dropbox accounts.
We’ve reached out to users who’ve reported receiving spam messages and are closely investigating those reports.
Security is our top priority and we’ll let you know if we uncover evidence that these email addresses came from Dropbox.”
The spam messages, which use Russian DNS servers, are being sent to many different European countries but are always in the recipient’s native language. This suggests a very carefully designed attack. Where it’s coming from remains a mystery. It’s possible the people involved did use their email addresses elsewhere and forgot, or that it’s their systems that have been compromised, not Dropbox’s. If you’ve gotten spammed on an address you only use for Dropbox, be sure to let them know. The more reports they get from affected users the better to help them figure this mystery out.
We’ll continue to update as new information is revealed.