Need to see if your shared folder is taking up space on your dropbox 👨💻? Find out how to check here.
Forum Discussion
Received 3 2FA emails in one minute, but 2FA was not enabled on my account
Hi all,
A strange thing happened today, I've received 3 emails in sequence with content:
Hi [MY FIRST NAME],
Finish signing in to Dropbox with this one-time security code...
Rich
Super User II
Super User II
radenkovic wrote:
Received 2FA emails, however 2FA is not enabled on my account.
That's not a two-step verification email. That's a one-time security code email. Similar, but different. You don't need to have two-step verification enable to receive the one-time security code. Dropbox will request a code if they feel a login attempt is suspicious.
Even though they didn't get in to your account, you probably should review the active sessions and devices linked to your account, and change your password. You can do both from your Security page.
Thanks Rich! Does that mean that the malicious actor entered the correct password?
Just FYI I changed my password after the incident and enabled 2FA. Also, there are no suspicious sessions/logins on my account (active sessions).- Nancy
Dropbox Community Moderator
Hey radenkovic!
Is there any chance that you had previously stored your Dropbox password somewhere that was accessible by another user/person?
If you don’t see any trace of another device/browser on your Security tab though, it means that no one else managed to log in to your Dropbox account.
Also, good thinking on resetting your Dropbox password/enabling 2FA; that should do it.
Nancy, thanks for your input! I don't have any files on that dropbox account and have decent security practices (using password manager, not reusing passwords etc), it may be that I'm compromised, but I doubt it, that's why I am checking.
Is it possible to check logs with timestamp from my first post and confirm that someone actually tried to login with correct pw?
Walter Rich sorry guys for bugging you again but It's very likely that you have some bug/security issue on the platform.
In this reddit post, more people are complaining about the same thing:
https://www.reddit.com/r/dropbox/comments/y3rl64/dropbox_spamming_dropbox_security_code_emails/- I also received 3 emails in one minute
- No signs of compromise
- Reddit post (screenshot is dated 27Dec), mine happened on 26Dec
ANOTHER UPDATE:
Exactly the same behavior reported during the last week on your forums.
- Also 3 emails in one minute
Please report this to developers/security, this incident should be reviewed because there may be a way to compromise user accounts and bypass password.
Hi,
I had the exact same problem, 3 emails within 1-2 minutes. And it was definetely not me.
I contacted support and they were completely useless. I even upgraded my account just to be able to chat to support, as someone having my password would require me to update a lot of accounts not just dropbox, but nobody was able to give me a straight answer.
Here is what i have found so far per dropbox's own FAQs.
https://help.dropbox.com/account-access/one-time-codeThere are 2 types of emails, one that says something like "if it was not you, click here to change your password", and the other one that says "if it was not you, don't worry".
But why on earth would i not worry if someone compromised my password? Makes no sense.
So i try to understand, in what situation would this email be triggered, unless someone has my password?
On a final note: I did today try to log in myself, from an unusual browser and using a vpn, in order to trigger a warning on purpose. I did receive the email that says something like "if it was not you, click here". So this confirms, if someone has your password, you will receive that kind of email. But the question remains, what is the point of the other email that says "don't worry"?
If anyone can answer this question would be great, because i totally freaked out over the last few days trying to find the answer to this.thank you!
"Someone has access to your password but don't worry they can't yet get to your dropbox account" is not a good message to receive in an email.
- Megan
Hey guys, I hope you're all doing well!
Would it be okay for me to reach out via email, in order for us to have a closer look into this?
Let me know!
Megan feel free to reach me via email (it's the same I'm using to login to this account).
