Tell HN: Dropbox e-mail database hacked (again?)

17 points by moe ↗ HN
A minute ago I've received a phishing mail (screenshot http://imgur.com/lc5VxtY) on all my 8 email addresses that I had used to sign up for dropbox accounts over the years.

These are all non-guessable addresses used exclusively for dropbox.

All links in that mail point to http://lindXXXbuchleitner.com/wp-content/plugins/wps.php?c002 (XXX = sey), which presumably carries something malicious (I didn't click).

Question to HN: Who else has received this spam?

And question to Dropbox: Why was I not notified when my e-mail addresses (and what else?) were stolen from your servers?

7 comments

[ 3.6 ms ] story [ 36.8 ms ] thread
Thank you updating that this issue still is occurring with Dropbox e-mails. Has Dropbox officially responded to this incident? It seems as if this problem has been mentioned here and some other outlets for about a month or so (emerged some time around mid-Feb. 2013 ? ).
That link redirects to hxxp://3rgjrihoqwd.dns04.com/closest/98y7y432ufh49gj23sldkkqowpsskfnv.php DNS04 is a dynamic IP address service. That address loads an obfuscated web page with a java (or flash?) widget. Then it redirects to hxxp://doctormusi.ru which tries to sell me Viagra.
Okay, after some research this might be aftermath from a breach that happened last year: http://arstechnica.com/security/2012/07/dropbox-hires-outsid...

Though I wonder why I start receiving spam now (almost a year later).

And I wonder how it hits all my Dropbox-accounts despite Dropbox claiming only "some" addresses were lost back then.

It doesn't quite add up to me, and I also don't like that the relevant threads on the dropbox-forum (that the various blog-posts link to) seem to be deleted.

Why would anyone use eight different emails to (presumably) eight different accounts?
referrals to boost capacity...
I use a dedicated e-mail for every account I create anywhere (servicename-foo@domain.com).

I don't recall the reasons for all of the accounts, but I often create quick one-offs e.g. when to share photos from a mobile/tablet without linking it to my main account. Most of the accounts haven't been in use for years.

There was an entire thread a few weeks ago: https://news.ycombinator.com/item?id=5300492

I contacted Dropbox at the time, and they confirmed it _seems_ to be related to the leak of email addresses July last year. Of course this doesn't make things less serious; they still have a leak, and our info is likely out in the wild. But at least they did notify affected users last year.

  > Sean, Mar 13 02:19 pm (PDT): 
  > Hi,
  > Sorry for not responding earlier, and thanks for the report. We're still
  > looking into the spam, and so far it looks like it's tied to the leak of
  > email addresses from Dropbox back in July.
  > 
  > You can read more about it here:
  > https://blog.dropbox.com/2012/07/security-update-new-features/
  > If you have any questions, please let me know.
  > 
  > Best,
  > Sean