Need to see if your shared folder is taking up space on your dropbox đšâđ»? Find out how to check here.
Forum Discussion
Received 3 2FA emails in one minute, but 2FA was not enabled on my account
Hi all,
A strange thing happened today, I've received 3 emails in sequence with content:
Hi [MY FIRST NAME],
Finish signing in to Dropbox with this one-time security code...
I can also confirm when attempting to login to my account with an incorrect password it does not trigger the verification email that I received prior, even when using a VPN so there can be no excuse such as it knowing my original IP address that it wouldnât need to verify it via email.
To the Moderators/Staff saying itâs just because of an unsuccessful sign-in attempt, youâve been clearly proven wrong, why would you even NEED a verification number anyway if the login attempt wasnât using the correct password and therefore unsuccessful?
This needs a serious investigation and not just palmed off with âoh itâs probably just because xâ, thereâs been even more people replying with the exact same issue even some that donât even use their account that much.
To the Moderators/Staff saying itâs just because of an unsuccessful sign-in attempt, youâve been clearly proven wrong, why would you even NEED a verification number anyway if the login attempt wasnât using the correct password and therefore unsuccessful?
This needs a serious investigation and not just palmed off with âoh itâs probably just because xâ, thereâs been even more people replying with the exact same issue even some that donât even use their account that much.
Megan
Dropbox Community Moderator
Dropbox Community ModeratorHi Randy90, how are you today?
Can I reach out to you, in order for us to investigate further via email?
Keep me posted!
Can someone actually check the logs and compare IPs? It may be related to November '22 Dropbox leak, so attackers may be brute-forcing passwords. It's very indicative from the previous posts that many users actually did not use their accounts at all (like me) and received messages.
Those are serious issues and our concerns are valid. Dropbox should be more transparent and provide additional information and explain what is going on. Just to note that email correspondence was useless (you tried to log in, those are our security measures and other nonsense).
The crucial question is: did someone try to brute-force my password, or it is a bug? I am completely sure that I did not use this account for months.
Also, this thing bothers me a lot, as user arana mentioned
"The correct password is not a requirement for this one-time code to be sent. "
From security/resources perspective I don't see how it makes sense to send OT code even if the password is not correct? I was trying to replicate this scenario, and I cannot replicate it at all (tried using VPN, different locations etc).
Any chance to get some clarifications from opsec/tech team members?
radenkovic do you have any information or links to that dropbox leak? i could not find it online for some reason.
Regarding checking IP's. It would be great to know which ip's attempted the logins. If someone has a log, please copy paste it here. I have been told that only the highest tier accounts in dropbox have failed login attempt logs. I tried upgrading my account, but it won't show me retroactive data.Yeah at a minimum there should be more information in these emails. In addition to the IP address, the "What" from the "We noticed a new sign in to your Dropbox" or similar.
- Jay
Hi everyone, the correct password isn't required in order for the one time code to be sent via email.
For security reasons we can't provide any information as to what methods Dropbox uses to identify a login as suspicious.
Hi Jay , i am a little confused by your answer.
Does it mean that someone tried to log in to our account, typed the correct email, but the wrong password? Let me know if i understood you correctly.
