Hi all, A strange thing happened today, I've received 3 emails in sequence with content: Hi [MY FIRST NAME], Finish signing in to Dropbox with this one-time security code: [ 6 DIGIT CODE] If you didn't try to sign in, don't worry. You can safely ignore this email. I freaked out because you can receive 2FA only if you enter the correct password. Upon investigating I figured out that my account does NOT have 2FA enabled!!! Adding headers here (redacted): From: Dropbox To: [MY EMAIL] CC: Subject: [6DIGITS CODE] is your Dropbox security code Date: Mon, 26 Dec 2022 11:03:37 +0000 Message-ID: X-Dropbox-Message-ID: 16683002164785652191 Feedback-ID: 1.us-east-1.syWQ1+fF8Wo1tY8y/+s85ptiAKu7bILK6PHyxwpB+xo=:AmazonSES X-SES-Outgoing: 2022.12.26-54.240.39.228 Headers look legit, it seems that email is not spoofed. Is this some sort of bug, can someone from dev/support can explain what happened? There was this Lastpass breach a few days ago and I am not sure if those are connected. TLDR; Received 2FA emails, however 2FA is not enabled on my account. Just in case I updated my password once again (was changed a week ago).

I also believe there can be a leak, that they decided to not disclose in order to protect their reputation. I also decided to delete all my files from dropbox given the lack of transparency in the topic.

@Randy90 wrote: We want answers and transparency, this was not someone trying to login using just the email on the off-chance because I’ve already attempted to replicate that, I didn’t receive a single email no matter how many times I tried it or wherever I moved the VPN to. Yeah I tried as well from a VM created in another country from where I am. The front end doesn't trigger it with an invalid password. Maybe one of the API endpoints does but it is not worth my time to setup a developer account just to test this. At this point I am just going to delete my account. Even if my account wasn't compromised, and somehow believe the "Just ignore this" email we got 3 times in a row is just their internal system sending emails in error, I just can't trust them anymore. For all we know they had an internal breach, and they just haven't disclosed it yet.

@BabylonBubbles wrote:The six-digit code is necessary for every **bleep** login. ... How can I get rid ob this? There's two-step verification and there are one-time security codes. Two-step verification is something the user enables and can be turned off. One-time security codes are requested when Dropbox believes a login attempt is suspicious, and cannot be disabled.

Child Item

Received 3 2FA emails in one minute, but 2FA was not enabled on my account

radenkovic

Hi all,

A strange thing happened today, I've received 3 emails in sequence with content:

Hi [MY FIRST NAME],

Finish signing in to Dropbox with this one-time security code:

[ 6 DIGIT CODE]

If you didn't try to sign in, don't worry. You can safely ignore this email.

I freaked out because you can receive 2FA only if you enter the correct password. Upon investigating I figured out that my account does NOT have 2FA enabled!!!

Adding headers here (redacted):

From: Dropbox <no-reply@dropbox.com>
To: [MY EMAIL]
CC: 
Subject: [6DIGITS CODE] is your Dropbox security code
Date: Mon, 26 Dec 2022 11:03:37 +0000
Message-ID: <010001854e1a3116-24a80716-e9c4-40f4-94d3-1ebadcdc1fa9-000000@email.amazonses.com>
X-Dropbox-Message-ID: 16683002164785652191
Feedback-ID: 1.us-east-1.syWQ1+fF8Wo1tY8y/+s85ptiAKu7bILK6PHyxwpB+xo=:AmazonSES
X-SES-Outgoing: 2022.12.26-54.240.39.228

Headers look legit, it seems that email is not spoofed.

Is this some sort of bug, can someone from dev/support can explain what happened? There was this Lastpass breach a few days ago and I am not sure if those are connected.

TLDR; Received 2FA emails, however 2FA is not enabled on my account.

Just in case I updated my password once again (was changed a week ago).

Find more posts tagged with

Security

Account Access

Disagree

Accepted answers

All comments

Rich

@radenkovic wrote:
Received 2FA emails, however 2FA is not enabled on my account.

That's not a two-step verification email. That's a one-time security code email. Similar, but different. You don't need to have two-step verification enable to receive the one-time security code. Dropbox will request a code if they feel a login attempt is suspicious.

Even though they didn't get in to your account, you probably should review the active sessions and devices linked to your account, and change your password. You can do both from your Security page.

radenkovic

Thanks Rich! Does that mean that the malicious actor entered the correct password?

Just FYI I changed my password after the incident and enabled 2FA. Also, there are no suspicious sessions/logins on my account (active sessions).

Nancy

Hey @radenkovic!

Is there any chance that you had previously stored your Dropbox password somewhere that was accessible by another user/person?

If you don’t see any trace of another device/browser on your Security tab though, it means that no one else managed to log in to your Dropbox account.

Also, good thinking on resetting your Dropbox password/enabling 2FA; that should do it.

radenkovic

@Nancy, thanks for your input! I don't have any files on that dropbox account and have decent security practices (using password manager, not reusing passwords etc), it may be that I'm compromised, but I doubt it, that's why I am checking.

Is it possible to check logs with timestamp from my first post and confirm that someone actually tried to login with correct pw?

Walter

Hey @radenkovic, sorry to jump in, but I just wanted to confirm that the email you received seems to have come from an official Dropbox domain.

Just in case, you can change your account's password as the one time code that was sent to you would indeed only be sent if the password entered was correct.

The only timestamps about this incident you can check are the ones from any email you may have received during that time while you could also check your account's Security page for any web sessions that you don't recognize etc.

I hope this helps!

radenkovic

Thanks Walter! I've already updated the password, second time this week.

There were no suspicious sessions on my account (also there are 0 files in my dropbox so nothing really to compromise).

Just to mention that I am well-seasoned with OpSec and worked on many anti-fraud/phishing/scam projects, and was genuinely worried if I'm targeted as a revenge or something. The password itself was brute-force proof and autogenerated (16+ chars, a-Z0-9 and symbols), not stored anywhere except in my password manager (I suspected that it was compromised but it's unlikely), no traces of malware on my computer, and no other accounts from the manager were compromised (although I changed all the passwords and moved to local pw manager).

radenkovic

@Walter @Rich sorry guys for bugging you again but It's very likely that you have some bug/security issue on the platform.

In this reddit post, more people are complaining about the same thing:
https://www.reddit.com/r/dropbox/comments/y3rl64/dropbox_spamming_dropbox_security_code_emails/

- I also received 3 emails in one minute

- No signs of compromise

- Reddit post (screenshot is dated 27Dec), mine happened on 26Dec

ANOTHER UPDATE:

https://www.dropboxforum.com/t5/Security-and-Permissions/I-want-to-review-sign-in-attempts/td-p/646015

Exactly the same behavior reported during the last week on your forums.

- Also 3 emails in one minute

Please report this to developers/security, this incident should be reviewed because there may be a way to compromise user accounts and bypass password.

willywonka

Hi,

I had the exact same problem, 3 emails within 1-2 minutes. And it was definetely not me.

I contacted support and they were completely useless. I even upgraded my account just to be able to chat to support, as someone having my password would require me to update a lot of accounts not just dropbox, but nobody was able to give me a straight answer.

Here is what i have found so far per dropbox's own FAQs.

https://help.dropbox.com/account-access/one-time-code

There are 2 types of emails, one that says something like "if it was not you, click here to change your password", and the other one that says "if it was not you, don't worry".

But why on earth would i not worry if someone compromised my password? Makes no sense.

So i try to understand, in what situation would this email be triggered, unless someone has my password?

On a final note: I did today try to log in myself, from an unusual browser and using a vpn, in order to trigger a warning on purpose. I did receive the email that says something like "if it was not you, click here". So this confirms, if someone has your password, you will receive that kind of email. But the question remains, what is the point of the other email that says "don't worry"?

If anyone can answer this question would be great, because i totally freaked out over the last few days trying to find the answer to this.

thank you!

arana

"Someone has access to your password but don't worry they can't yet get to your dropbox account" is not a good message to receive in an email.

Megan

Hey guys, I hope you're all doing well!

Would it be okay for me to reach out via email, in order for us to have a closer look into this?

Let me know!

radenkovic

@Megan feel free to reach me via email (it's the same I'm using to login to this account).

Megan

Hi @radenkovic, I just sent you an email.

Reply back to me, and we'll take it from there!

arana

Hi Megan, You can email me as well.

Hannah

Hey @arana, you've got mail as well!

willywonka

Hi,

can you reach out to me via email as well? as the exact same thing happened to me. Thank you

Hannah

Not a problem, @willywonka!

I just sent you an email as well, so make sure to get back to me, when you have a chance.

Randy90

Just chiming in to say I have also been hit with the 3 emails in the span of less than a minute.

This is happening too many times now to be a coincidence, fortunately I don’t have any sensitive files on my account but that’s not the point, a LOT of people are getting these 3 OTP emails in quick succession for it to just be brushed off, as someone said in this thread earlier there has to be either a bug/glitch or a security flaw with Dropbox itself.

MichaelEngstler

Hello,

I've received two emails on 19/12/2022 requesting to finish singing up by providing the one-time password.

- I haven't logged in or used my Dropbox account for more than an year

- My password is very complicated and was generated by LastPass and is not shared between any accounts

- I've already conducted all counter-measures such as changing password (I already have 2FA turned on).

- Lastly, I didn't use Dropbox on 19/12/2022 in anyway

My one and single concern is - Did someone manage to enter correct credentials to my account, or was a glitch/bug from DropBox?

This is very important for me as it's close to the dates LastPass was breach and I need to understand if the email from DropBox was a legitimate login attempt with my password or a bug from DropBox.

Please don't simply suggest to change password/2FA as I have already done that.

My only question is if someone managed to actually enter my correct password to DropBox on 19/12/2022.

We can further elaborate over email if required.

Thank you,

Michael

radenkovic

I think you should open support tickets, as for now Dropbox support is clearly ignoring the issue, I am getting only generic responses to change my password and other usual stuff. However, there are a lot of indications that the problem actually exists on Dropbox side.

MichaelEngstler

Hey @Megan, can you please reach out to me via email as well?

The same email as my dropbox account.

Thanks

Walter

Hey @Randy90, thanks for flagging this with us.

Would it be OK if we reached out via email to investigate further?

As for you @MichaelEngstler, note that I've just sent you an email, so please have a look at your inbox and we'll take it from there.

Thanks!

MENTZC

Same thing happened to me over the weekend out of the blue. Feel free to contact me as well.

I know they say "You can safely ignore this email." but this is concerning to me as I need to know the cause.

jmg2

Hello, this also occurred for me about 2 hours ago, three consecutive emails within the same minute. May I please be contacted via email?

Thanks

Nancy

Hey @MENTZC and @jmg2; I’m sorry to hear you’re having the same issue.

Did you check your Security page to make sure there are no unknown devices/browsers linked to your Dropbox account?

Also, is it possible to upload a screenshot of the email you received, so that I can have a look? Just make sure there’s no personal info showing.

Thanks!

MENTZC

No unknown devices/sessions on my account. I hardly ever log into it, so this is why it was so random to get them.

3 in less than a minute. All different codes.

I cannot be a coincidence that we are all getting exactly 3 in less than a minute. My hope is this is some kind of bug or related to a mobile app or something but "you can safely ignore this email" is horrible advice if an account password was compromised.

arana

Problem kinda solved, from the support team:

"I would like to let you know that these one-time codes are standard for if any attempt is made to log into an account from a new device. The correct password is not a requirement for this one-time code to be sent.

I can also confirm that your accounts are safe, as long as your email accounts are not compromised - I would strongly suggest that you set up 2FA if you want to secure your account access further. "

willywonka

Hi Arana, I think this is not a correct answer, I tried to log in putting the wrong password on purpose, and I did not receive any codes. Can you try to log in with a wrong password and let us know if you receive the codes? I was not able to reproduce it

Megan

Hi guys, for anyone still facing this, can I send you an email, in order for us to have a closer look into this?

willywonka

I am copy pasting the email i received from support down below. However, this email seems quite useless and does not answer the main question which is : How is that email triggered unless someone has the correct password?

I am assuming everyone received the same email as i am pasting here?

---

"Thank you for your patience as we are reviewing your case regarding the emails you received. I am a member of the Dropbox team.

I can confirm that the email that you have received is a legitimate email from Dropbox. You were sent this message because you have recently attempted to log in to your account. You will need to enter this verification code to complete the sign in process. This is not linked to 2 step verification and is an automated safety feature for your account.

We have implemented this to prevent abuse on your account. If you continue to receive these emails and you are not attempting to log in, we would recommend changing the email address connected to your account and securing your account by doing the following:

If you haven't done so already, please change your Dropbox account password, which you can do by clicking the link below and following the on-screen prompts:

https://www.dropbox.com/account/security

Please note: Dropbox recommends strong passwords that are not used for any other website or service. Once you change your password, the change will become effective immediately on all computers and devices linked to your account.

Change the password to the email address you use for your Dropbox account. Again, choose a strong password that you don't use for any other service (including Dropbox).

For added security, we recommend that you enable two-step verification, which protects your account even if your password is compromised. Once enabled, Dropbox will require a six-digit code in addition to your password when signing in to the Dropbox website or linking a new device. To learn more, please see:

https://help.dropbox.com/teams-admins/team-member/enable-two-step-verification

If you are having trouble logging in or if you have any further questions, please let me know and I will be happy to help.

Regards"

Randy90

I can also confirm when attempting to login to my account with an incorrect password it does not trigger the verification email that I received prior, even when using a VPN so there can be no excuse such as it knowing my original IP address that it wouldn’t need to verify it via email.

To the Moderators/Staff saying it’s just because of an unsuccessful sign-in attempt, you’ve been clearly proven wrong, why would you even NEED a verification number anyway if the login attempt wasn’t using the correct password and therefore unsuccessful?

This needs a serious investigation and not just palmed off with “oh it’s probably just because x”, there’s been even more people replying with the exact same issue even some that don’t even use their account that much.