Child Item

Employee Compromised Account

I have an employee here that signed up for a free DropBox account with their work email. The account has been compromised and the MFA phone number has been changed, so even though I can get a password reset email, I can't complete the change without the MFA code. The account has sent out numerous phishing e-mails to customers and vendors and is continuing to do so since they have hijacked the account.

Is there any way we can disable or shutdown the account? We own the email address and domain. It's sending malicious content to our Customers, at the very least I need to disable them from sending out sharing emails.

Find more posts tagged with

Security

Account Access

Disagree

Comments

Nancy

I’m sorry to hear about the situation, @jchamp_shlc.

Unfortunately, it’s only possible to delete a Dropbox account, after logging in to it, and our support team can’t do it on their end either, due to security reasons.

However, can you please check with your employee if they have the emergency codes they received upon setting up two-step verification? If they do, they can use them to access the account instead, to change the 2FA phone number, email and password, or delete it, if they wish to.

Other than that, they can check if they have a backup phone number that may still work, or check their linked devices (for more info, please check the attached link).

Let me know, if that helps.

Zachary3

We are experiencing the same issue. Our staff members mailbox was temporarily compromised, during which the attacker logged in to their Dropbox and set up a 2FA Authenticator App.

We reset the password but cannot actually log in without the 2FA or recover code - of which we have neither. The attackers session is still active, so they're sending out fraudulent emails with malicious payloads.

If we could simply terminate all active sessions this would fix the issue, but we can only do that by logging in (chicken & egg situation). We logged a ticket with Dropbox asking they do this for us, but they have not responded.

This is a disaster, and SHAME on Dropbox for allowing this kind of situation to occur. At the very least terminate all the current sessions when the password is reset! Crazy.

If ANYONE at Dropbox cares, because our clients certainly do, the ticket number is: 22934270

Helen DBX

Hey there,

Helen from Dropbox here.

A security specialist has just responded to your ticket. Please have a look and we will take care of that for you.

Best regards,
Helen
The Dropbox Team
https://www.dropbox.com/help

Helen DBX

Hey there,

Helen from Dropbox here.

I understand your concern with the compromised account.

A security specialist will investigate this for you. Please ask your employee to create a support ticket with the same email address associated with the compromised Dropbox account:
http://www.dropbox.com/support

We can then review the case and help you fully.

Best regards,
Helen
The Dropbox Team
https://www.dropbox.com/help

jchamp_shlc

Helen,

Thank you for the reply. We have created a support case under their email address/account.

Support Ticket # 22951548

We got word this morning from some vendors and customers that the attacker send out new sharing links with malicious content (attachment that leads the user to credential phishing page).

Nancy

Sorry to jump in, @jchamp_shlc. I've located your ticket in our system, and I've left an internal note to our team for you. They should get back to you as soon as possible.

GDLaw

We're having the same issue. Can someone please look at Ticket #24009553: DB: Account compromised

Megan

Hi @GDLaw, thanks for sharing your ticket number reference with me!

I was able to locate your ticket, and an agent will be with you shortly.

Thank you!

GDLaw

Thank you Megan. I think we got a response but the users email may have been compromised at the time. Is there anyway you can have the last response on the ticket sent again?

Megan

Hey @GDLaw, I'll ping the agent working on your case to do so.

Hang tight, and we'll get to this.