Hi all, A strange thing happened today, I've received 3 emails in sequence with content: Hi [MY FIRST NAME], Finish signing in to Dropbox with this one-time security code: [ 6 DIGIT CODE] If you didn't try to sign in, don't worry. You can safely ignore this email. I freaked out because you can receive 2FA only if you enter the correct password. Upon investigating I figured out that my account does NOT have 2FA enabled!!! Adding headers here (redacted): From: Dropbox <no-reply@dropbox.com> To: [MY EMAIL] CC: Subject: [6DIGITS CODE] is your Dropbox security code Date: Mon, 26 Dec 2022 11:03:37 +0000 Message-ID: <010001854e1a3116-24a80716-e9c4-40f4-94d3-1ebadcdc1fa9-000000@email.amazonses.com> X-Dropbox-Message-ID: 16683002164785652191 Feedback-ID: 1.us-east-1.syWQ1+fF8Wo1tY8y/+s85ptiAKu7bILK6PHyxwpB+xo=:AmazonSES X-SES-Outgoing: 2022.12.26-54.240.39.228 Headers look legit, it seems that email is not spoofed. Is this some sort of bug, can someone from dev/support can explain what happened? There was this Lastpass breach a few days ago and I am not sure if those are connected. TLDR; Received 2FA emails, however 2FA is not enabled on my account. Just in case I updated my password once again (was changed a week ago).

Hi, I had the exact same problem, 3 emails within 1-2 minutes. And it was definetely not me.I contacted support and they were completely useless. I even upgraded my account just to be able to chat to support, as someone having my password would require me to update a lot of accounts not just dropbox, but nobody was able to give me a straight answer.Here is what i have found so far per dropbox's own FAQs.https://help.dropbox.com/account-access/one-time-code There are 2 types of emails, one that says something like "if it was not you, click here to change your password", and the other one that says "if it was not you, don't worry".But why on earth would i not worry if someone compromised my password? Makes no sense.So i try to understand, in what situation would this email be triggered, unless someone has my password?On a final note: I did today try to log in myself, from an unusual browser and using a vpn, in order to trigger a warning on purpose. I did receive the email that says something like "if it was not you, click here". So this confirms, if someone has your password, you will receive that kind of email. But the question remains, what is the point of the other email that says "don't worry"?If anyone can answer this question would be great, because i totally freaked out over the last few days trying to find the answer to this. thank you!

Randy90 wrote:We want answers and transparency, this was not someone trying to login using just the email on the off-chance because I’ve already attempted to replicate that, I didn’t receive a single email no matter how many times I tried it or wherever I moved the VPN to.Yeah I tried as well from a VM created in another country from where I am. The front end doesn't trigger it with an invalid password. Maybe one of the API endpoints does but it is not worth my time to setup a developer account just to test this. At this point I am just going to delete my account. Even if my account wasn't compromised, and somehow believe the "Just ignore this" email we got 3 times in a row is just their internal system sending emails in error, I just can't trust them anymore. For all we know they had an internal breach, and they just haven't disclosed it yet.

Walter Rich sorry guys for bugging you again but It's very likely that you have some bug/security issue on the platform. In this reddit post, more people are complaining about the same thing:https://www.reddit.com/r/dropbox/comments/y3rl64/dropbox_spamming_dropbox_security_code_emails/- I also received 3 emails in one minute- No signs of compromise- Reddit post (screenshot is dated 27Dec), mine happened on 26Dec ANOTHER UPDATE:https://www.dropboxforum.com/t5/Security-and-Permissions/I-want-to-review-sign-in-attempts/td-p/646015Exactly the same behavior reported during the last week on your forums.- Also 3 emails in one minute Please report this to developers/security, this incident should be reviewed because there may be a way to compromise user accounts and bypass password.

"Someone has access to your password but don't worry they can't yet get to your dropbox account" is not a good message to receive in an email.

Hi radenkovic, I just sent you an email. Reply back to me, and we'll take it from there!

radenkovic

Helpful | Level 5

3 years ago

Received 3 2FA emails in one minute, but 2FA was not enabled on my account

Hi all,

A strange thing happened today, I've received 3 emails in sequence with content:

Hi [MY FIRST NAME],

Finish signing in to Dropbox with this one-time security code:

[ 6 DIGIT CODE]

If you didn't try to sign in, don't worry. You can safely ignore this email.

I freaked out because you can receive 2FA only if you enter the correct password. Upon investigating I figured out that my account does NOT have 2FA enabled!!!

Adding headers here (redacted):

From: Dropbox <no-reply@dropbox.com>
To: [MY EMAIL]
CC: 
Subject: [6DIGITS CODE] is your Dropbox security code
Date: Mon, 26 Dec 2022 11:03:37 +0000
Message-ID: <010001854e1a3116-24a80716-e9c4-40f4-94d3-1ebadcdc1fa9-000000@email.amazonses.com>
X-Dropbox-Message-ID: 16683002164785652191
Feedback-ID: 1.us-east-1.syWQ1+fF8Wo1tY8y/+s85ptiAKu7bILK6PHyxwpB+xo=:AmazonSES
X-SES-Outgoing: 2022.12.26-54.240.39.228

Headers look legit, it seems that email is not spoofed.

Is this some sort of bug, can someone from dev/support can explain what happened? There was this Lastpass breach a few days ago and I am not sure if those are connected.

TLDR; Received 2FA emails, however 2FA is not enabled on my account.

Just in case I updated my password once again (was changed a week ago).

Account Access

Security

MichaelEngstler
New member | Level 2
2 years ago
Hello,

I've received two emails on 19/12/2022 requesting to finish singing up by providing the one-time password.
- I haven't logged in or used my Dropbox account for more than an year
- My password is very complicated and was generated by LastPass and is not shared between any accounts
- I've already conducted all counter-measures such as changing password (I already have 2FA turned on).
- Lastly, I didn't use Dropbox on 19/12/2022 in anyway

My one and single concern is - Did someone manage to enter correct credentials to my account, or was a glitch/bug from DropBox?
This is very important for me as it's close to the dates LastPass was breach and I need to understand if the email from DropBox was a legitimate login attempt with my password or a bug from DropBox.

Please don't simply suggest to change password/2FA as I have already done that.
My only question is if someone managed to actually enter my correct password to DropBox on 19/12/2022.

We can further elaborate over email if required.

Thank you,
Michael
Rich
Super User II
3 years ago
radenkovic wrote:

Received 2FA emails, however 2FA is not enabled on my account.

That's not a two-step verification email. That's a one-time security code email. Similar, but different. You don't need to have two-step verification enable to receive the one-time security code. Dropbox will request a code if they feel a login attempt is suspicious.

Even though they didn't get in to your account, you probably should review the active sessions and devices linked to your account, and change your password. You can do both from your Security page.
- radenkovic
  Helpful | Level 5
  2 years ago
  Walter Rich sorry guys for bugging you again but It's very likely that you have some bug/security issue on the platform.
  
  In this reddit post, more people are complaining about the same thing:
  https://www.reddit.com/r/dropbox/comments/y3rl64/dropbox_spamming_dropbox_security_code_emails/
  - I also received 3 emails in one minute
  - No signs of compromise
  - Reddit post (screenshot is dated 27Dec), mine happened on 26Dec
  
  ANOTHER UPDATE:
  https://www.dropboxforum.com/t5/Security-and-Permissions/I-want-to-review-sign-in-attempts/td-p/646015
  Exactly the same behavior reported during the last week on your forums.
  - Also 3 emails in one minute
  
  Please report this to developers/security, this incident should be reviewed because there may be a way to compromise user accounts and bypass password.
  - willywonka
    Helpful | Level 5
    2 years ago
    Hi,
    
    I had the exact same problem, 3 emails within 1-2 minutes. And it was definetely not me.
    
    I contacted support and they were completely useless. I even upgraded my account just to be able to chat to support, as someone having my password would require me to update a lot of accounts not just dropbox, but nobody was able to give me a straight answer.
    
    Here is what i have found so far per dropbox's own FAQs.
    
    https://help.dropbox.com/account-access/one-time-code
    
    There are 2 types of emails, one that says something like "if it was not you, click here to change your password", and the other one that says "if it was not you, don't worry".
    
    But why on earth would i not worry if someone compromised my password? Makes no sense.
    
    So i try to understand, in what situation would this email be triggered, unless someone has my password?
    
    On a final note: I did today try to log in myself, from an unusual browser and using a vpn, in order to trigger a warning on purpose. I did receive the email that says something like "if it was not you, click here". So this confirms, if someone has your password, you will receive that kind of email. But the question remains, what is the point of the other email that says "don't worry"?
    
    If anyone can answer this question would be great, because i totally freaked out over the last few days trying to find the answer to this.
    
    thank you!
- radenkovic
  Helpful | Level 5
  3 years ago
  Thanks Rich! Does that mean that the malicious actor entered the correct password?
  
  Just FYI I changed my password after the incident and enabled 2FA. Also, there are no suspicious sessions/logins on my account (active sessions).
  - Nancy
    Dropbox Staff
    3 years ago
    Hey radenkovic!
    
    Is there any chance that you had previously stored your Dropbox password somewhere that was accessible by another user/person?
    
    If you don’t see any trace of another device/browser on your Security tab though, it means that no one else managed to log in to your Dropbox account.
    
    Also, good thinking on resetting your Dropbox password/enabling 2FA; that should do it.
BabylonBubbles
New member | Level 2
2 years ago
The six-digit code is necessary for every **bleep** login. This hinders my workflow enormously. I've turned the 2fA on and off a few times, but Dropbox insists that I log in this way. I also only work from the same two devices that have permission. No one else has access to it.
I am absolutely annoyed by it. I don't want this! How can I get rid ob this?
- Rich
  Super User II
  2 years ago
  BabylonBubbles wrote:
  
  The six-digit code is necessary for every **bleep** login. ... How can I get rid ob this?
  
  There's two-step verification and there are one-time security codes. Two-step verification is something the user enables and can be turned off. One-time security codes are requested when Dropbox believes a login attempt is suspicious, and cannot be disabled.