(LiveHacking.Com) – Dropbox is investigating why some of its users have been receiving spam to email addresses associated with their accounts. The problems began during Tuesday when some European Dropbox users started complaining on the support forums that they had started to receive spam. There is nothing unusual about spam nowadays, but this spam was going to email addresses that had been specially created for use with Dropbox and aren’t used anywhere else.
Later, at around 3 p.m. ET, Dropbox went down and users were unable to log in and access their files. Then by early evening (USA time) Dropbox issued a statement: “We‘re aware that some Dropbox users have been receiving spam to email addresses associated with their Dropbox accounts. Our top priority is investigating this issue thoroughly and updating you as soon as we can. We know it’s frustrating not to get an update with more details sooner, but please bear with us as our investigation continues.”
According to a post in the forums by someone who appears to be a Dropbox employee, the site outage (at around 3 p.m. ET) “was incidental and not caused by any external factor or third-party.” In the same post “Joe G.” wrote “We wanted to update everyone about spam being sent to email addresses associated with some Dropbox accounts. We continue to investigate and our security team is working hard on this. We’ve also brought in a team of outside experts to make sure we leave no stone unturned.” He also wanted to assure users that Dropbox hasn’t had “any reports of unauthorized activity on Dropbox accounts.”
The BIG question is how have the spammers got hold of the email addresses? There are two possibilities. First, Dropbox has suffered a security breach in which email addresses have been stolen. During such a breach hackers could have also taken the account passwords but have chosen not to use them but rather use only the email addresses to try to generate money via spam, or the passwords where hashed and salted and the hackers have been unable to crack them. The second possibility is that there is a vulnerability in Dropbox’s APIs, either web or in the SDK/protocols, that are allowing the spammers to capture email addresses without knowning any other user details.
Which ever it is, this could be a serious dent in the credibility for Dropbox and cloud storage in general.