Dropbox users are reporting spam coming to unique email addresses used for the cloud storage service. In a forum thread from yesterday, a user complained that a Dropbox-specific address had been receiving spam since February 20th, suggesting that the address had been exposed. After a moderator dismissed the claim by saying that spammers might have guessed the address randomly, several other people raised the same issue, most with addresses that were used only for Dropbox. They generally reported spam starting around the 19th or 20th.
We’ve been looking into these spam reports and take them seriously. Back in July we reported that certain user email addresses had leaked and some users had received spam as a result. At this time, we have not seen anything to suggest this is a new issue, but remain vigilant given the recent wave of security incidents at other tech companies. If you’ve received spam to an email account you only use for Dropbox, please send the message (including full headers) to firstname.lastname@example.org to help our ongoing investigation.
Separately, we want to apologize for some of the dismissive responses from our volunteer moderators — since they aren’t employed by Dropbox, they don’t have visibility into issues like this. We want you to know that we've taken these reports seriously and began our investigation immediately.
The reports we're hearing now are similar to those from a year ago, when users also began receiving spam to unique accounts. As referenced above, Dropbox concluded that those emails were the result of a small number of compromised accounts, one of which gave miscreants access to a document with user email addresses in an employee folder. Users who mentioned receiving spam this time around also said their accounts had been active for years, so it's possible this is still due to last year's security breach, but we've reached out to Dropbox for comment and will be watching for signs that more is afoot.