Dropbox Announces Spam Investigation Results


When Dropbox received multiple complaints of spam flooding the accounts of some
European users, they immediately went into action and hired an outside security team to run an investigation.

The good news is that the team didn’t find any evidence of a security breach. The bad news is they have no idea why users are getting spammed on their Dropbox only email addresses. They posted this update on their forums:

“We wanted to give everyone another update on our investigation into the reports of spam.

As of today, we’ve found no intrusions into our internal systems and no unauthorized activity in Dropbox accounts.

We’ve reached out to users who’ve reported receiving spam messages and are closely investigating those reports.

Security is our top priority and we’ll let you know if we uncover evidence that these email addresses came from Dropbox.”

The spam messages, which use Russian DNS servers, are being sent to many different European countries but are always in the recipient’s native language. This suggests a very carefully designed attack. Where it’s coming from remains a mystery. It’s possible the people involved did use their email addresses elsewhere and forgot, or that it’s their systems that have been compromised, not Dropbox’s. If you’ve gotten spammed on an address you only use for Dropbox, be sure to let them know. The more reports they get from affected users the better to help them figure this mystery out.

We’ll continue to update as new information is revealed.

Written by Sue Walsh


  1. greylines · July 24, 2012

    Very interesting. Same thing’s happened to me a number of times with addresses I’ve given to various sites/companies. (Not dropbox in my case) The companies involved insist they have not been compromised and generally suggest it’s either a problem at my end, random guessing, etc.
    It can’t be random guessing as I would see spam to addresses I haven’t created and as for a problem at my end, my security ware says my system is clean. (That’s AVGfree, SpyBot S&D, MBAM, and various big-name online scans.) So, that leaves… what?

  2. Jessica Craig · July 24, 2012

    “The good news is that the team didn’t find any evidence of a security breach. ”
    Hm, this is either a cover up for the breach, or the hackers were really good. A third option could be an insider job. Companies don’t like to admit when they have been taken off guard, so I am not surprised to read they found no traces of hackers.

  3. Gel Villanueva · July 28, 2012

    Good thing that they’re quick to ease user concerns about the issue. That is what most companies lack. Aside from lack of immediate action, there is lack of immediate feedback, as well. There is nothing more disconcerting than silence in a crisis scenario. Even if it is just “We are looking into the matter” or “we are having it investigated” statement would be helpful to users. Of course, if that is the company’s first statement, they should back it up with results of the investigation immediately.

    Because of companies will just leave it to speculators on what actually happened, they are leaving their brand management into the hands of users, or worse, critics.

Leave A Reply