I've never shared my file, yet I received a request from someone to be added to it.

Hey TreborG2​, sorry to hear about that! 

Is it possible that the folder you mentioned is located inside another shared folder?

Are those requests that you're receiving coming from an official domain from the ones mentioned here?

Generally, this happens when someone who you've shared an item to forwarded the invite email to someone else to join or view the file, or they open the link using another Dropbox account instead of the invited one.

Any additional information is more than welcome! 

Keep us posted!

it would be nice if the system allowed us to insert images ... (links are just yet another exposure from inside dropbox)

Basically all of my folders are locked to only me .. and inside some folders (currently 1 and only 1) are images that I share links to.

so when I go to the Dropbox web interface, into folders, only one is named "webshares" and its under there that I will host a folder (currently 10) for items I may MAY want to share some day .. only 1 such folder under webshares has any content that I do openly share and even then its only 2 files, and both of them are only linked to one of my gmail addresses.

The specific folder for this, and the file under it .. when I check locally and online at Dropbox, what I see in permissions, is none - folder settings, Link for Editing and Link for Viewing both show "There isn't a link for xxxx" and offer to create a link for that share type.

The share settings for the singular file in the folder show no-one, and the "unshare file" link when hovered over say "this file hasn't been shared yet"

As permissions go, the least lock should lock the file, not the broadest coverage to unlock.  meaning ... even if an above folder is unlocked ... if a lower folder, and lower picture (or file) is locked, they should remain locked. 

Say someone could see the folder names .. the folder is locked and not shared .. so why would someone be able to see the file name of a file inside a locked folder? .. the folder not having a share .. might allow the name of the folder be visible to the parent folder ... but the file in that locked folder should not be visible.

And I did think of that ... that maybe the folder this file is in isn't locked ... but confirmed .. it is.

It just seems more likely .. given the last screw up I found .. that this is yet another data leak .. minor though it may be .. it shows there's something leaking, at least it seems pretty clear to me given I've checked everything else I can.  

And with that .. I should qualify I didn't reach out to the email address of the person that sent the request .. that would be something I'd rather Dropbox do, to find out how THEY saw a file reference or where, and when so that it can be tracked down.

Hey TreborG2, thanks for the update here.

Can you check and let us know who the sender of the email that you received is?

Not the email address of the person in the body of the email, but the actual sender.

Did the email come from an official Dropbox domain?

yes.. its from Dropbox.. reviewed header .. dkim/spf pass, its not a spoof.

Dropbox <no-reply@dropbox.com>

Authentication-Results: asp-relay-shared.jellyfish.systems;
    dkim=pass header.d=dropbox.com header.s=fwekda4pbtfzhnrtrrriuun7z25zrizq header.b=fXScGN7w;
    dkim=pass header.d=amazonses.com header.s=gdwg2y3kokkkj5a55z2ilkup5wp5hhxx header.b=n3YWZsty;
    spf=pass (asp-relay-shared.jellyfish.systems: domain of 01010197501522d5-095b8287-80e2-4488-9270-444524b635a7-000000@ Email.dropbox.com designates 54.240.60.139 as permitted sender) smtp.mailfrom=01010197501522d5-095b8287-80e2-4488-9270-444524b635a7-000000@email.dropbox.com;

I see, thanks for the update here.

Have you reached out to our support team about this yet?