Need to see if your shared folder is taking up space on your dropbox 👨💻? Find out how to check here.
Forum Discussion
Received 3 2FA emails in one minute, but 2FA was not enabled on my account
Hi all,
A strange thing happened today, I've received 3 emails in sequence with content:
Hi [MY FIRST NAME],
Finish signing in to Dropbox with this one-time security code...
I am copy pasting the email i received from support down below. However, this email seems quite useless and does not answer the main question which is : How is that email triggered unless someone has the correct password?
I am assuming everyone received the same email as i am pasting here?
---
"Thank you for your patience as we are reviewing your case regarding the emails you received. I am a member of the Dropbox team.
I can confirm that the email that you have received is a legitimate email from Dropbox. You were sent this message because you have recently attempted to log in to your account. You will need to enter this verification code to complete the sign in process. This is not linked to 2 step verification and is an automated safety feature for your account.
We have implemented this to prevent abuse on your account. If you continue to receive these emails and you are not attempting to log in, we would recommend changing the email address connected to your account and securing your account by doing the following:
If you haven't done so already, please change your Dropbox account password, which you can do by clicking the link below and following the on-screen prompts:
Please note: Dropbox recommends strong passwords that are not used for any other website or service. Once you change your password, the change will become effective immediately on all computers and devices linked to your account.
Change the password to the email address you use for your Dropbox account. Again, choose a strong password that you don't use for any other service (including Dropbox).
For added security, we recommend that you enable two-step verification, which protects your account even if your password is compromised. Once enabled, Dropbox will require a six-digit code in addition to your password when signing in to the Dropbox website or linking a new device. To learn more, please see:
If you are having trouble logging in or if you have any further questions, please let me know and I will be happy to help.
Regards"
I can also confirm when attempting to login to my account with an incorrect password it does not trigger the verification email that I received prior, even when using a VPN so there can be no excuse such as it knowing my original IP address that it wouldn’t need to verify it via email.
To the Moderators/Staff saying it’s just because of an unsuccessful sign-in attempt, you’ve been clearly proven wrong, why would you even NEED a verification number anyway if the login attempt wasn’t using the correct password and therefore unsuccessful?
This needs a serious investigation and not just palmed off with “oh it’s probably just because x”, there’s been even more people replying with the exact same issue even some that don’t even use their account that much.
To the Moderators/Staff saying it’s just because of an unsuccessful sign-in attempt, you’ve been clearly proven wrong, why would you even NEED a verification number anyway if the login attempt wasn’t using the correct password and therefore unsuccessful?
This needs a serious investigation and not just palmed off with “oh it’s probably just because x”, there’s been even more people replying with the exact same issue even some that don’t even use their account that much.
Can someone actually check the logs and compare IPs? It may be related to November '22 Dropbox leak, so attackers may be brute-forcing passwords. It's very indicative from the previous posts that many users actually did not use their accounts at all (like me) and received messages.
Those are serious issues and our concerns are valid. Dropbox should be more transparent and provide additional information and explain what is going on. Just to note that email correspondence was useless (you tried to log in, those are our security measures and other nonsense).
The crucial question is: did someone try to brute-force my password, or it is a bug? I am completely sure that I did not use this account for months.
Also, this thing bothers me a lot, as user arana mentioned
"The correct password is not a requirement for this one-time code to be sent. "
From security/resources perspective I don't see how it makes sense to send OT code even if the password is not correct? I was trying to replicate this scenario, and I cannot replicate it at all (tried using VPN, different locations etc).
Any chance to get some clarifications from opsec/tech team members?
radenkovic do you have any information or links to that dropbox leak? i could not find it online for some reason.
Regarding checking IP's. It would be great to know which ip's attempted the logins. If someone has a log, please copy paste it here. I have been told that only the highest tier accounts in dropbox have failed login attempt logs. I tried upgrading my account, but it won't show me retroactive data.Yeah at a minimum there should be more information in these emails. In addition to the IP address, the "What" from the "We noticed a new sign in to your Dropbox" or similar.
- Jay
Dropbox Community Moderator
Hi everyone, the correct password isn't required in order for the one time code to be sent via email.
For security reasons we can't provide any information as to what methods Dropbox uses to identify a login as suspicious.
Hi Jay , i am a little confused by your answer.
Does it mean that someone tried to log in to our account, typed the correct email, but the wrong password? Let me know if i understood you correctly.- Jay
Yes, the password for the account doesn't need to be correct in order to receive this email.
Hi Jay , does it mean someone typed my email in dropbox, and then typed the incorrect password?
Or is there any other scenario in which that one time code could be triggered?- Jay
That's correct, though aside from this, there are other items that Dropbox uses to detect a suspicious login attempt.
- So they have “methods” to detect suspicious activity but apparently me trying to login using a VPN from a location I haven’t ever been before isn’t “suspicious” enough to trigger an OTP email?
I’m not buying it, if I had initially received just a single email then I’d most likely ignore it, perhaps change my password but nothing to get worked up about.
But that fact that me and MANY others received not 1, not 2 but THREE consecutive emails with OTP’s in the span of a minute is insanely (as you’d put it) “suspicious”.
We want answers and transparency, this was not someone trying to login using just the email on the off-chance because I’ve already attempted to replicate that, I didn’t receive a single email no matter how many times I tried it or wherever I moved the VPN to.
Randy90 wrote:
We want answers and transparency, this was not someone trying to login using just the email on the off-chance because I’ve already attempted to replicate that, I didn’t receive a single email no matter how many times I tried it or wherever I moved the VPN to.Yeah I tried as well from a VM created in another country from where I am. The front end doesn't trigger it with an invalid password. Maybe one of the API endpoints does but it is not worth my time to setup a developer account just to test this.
At this point I am just going to delete my account. Even if my account wasn't compromised, and somehow believe the "Just ignore this" email we got 3 times in a row is just their internal system sending emails in error, I just can't trust them anymore. For all we know they had an internal breach, and they just haven't disclosed it yet.
I also believe there can be a leak, that they decided to not disclose in order to protect their reputation.
I also decided to delete all my files from dropbox given the lack of transparency in the topic.
