Need to see if your shared folder is taking up space on your dropbox 👨💻? Find out how to check here.
Forum Discussion
Received 3 2FA emails in one minute, but 2FA was not enabled on my account
Hi all,
A strange thing happened today, I've received 3 emails in sequence with content:
Hi [MY FIRST NAME],
Finish signing in to Dropbox with this one-time security code:
[ 6 DIGIT CODE]
If you didn't try to sign in, don't worry. You can safely ignore this email.
I freaked out because you can receive 2FA only if you enter the correct password. Upon investigating I figured out that my account does NOT have 2FA enabled!!!
Adding headers here (redacted):
From: Dropbox <no-reply@dropbox.com> To: [MY EMAIL] CC: Subject: [6DIGITS CODE] is your Dropbox security code Date: Mon, 26 Dec 2022 11:03:37 +0000 Message-ID: <010001854e1a3116-24a80716-e9c4-40f4-94d3-1ebadcdc1fa9-000000@email.amazonses.com> X-Dropbox-Message-ID: 16683002164785652191 Feedback-ID: 1.us-east-1.syWQ1+fF8Wo1tY8y/+s85ptiAKu7bILK6PHyxwpB+xo=:AmazonSES X-SES-Outgoing: 2022.12.26-54.240.39.228
Headers look legit, it seems that email is not spoofed.
Is this some sort of bug, can someone from dev/support can explain what happened? There was this Lastpass breach a few days ago and I am not sure if those are connected.
TLDR; Received 2FA emails, however 2FA is not enabled on my account.
Just in case I updated my password once again (was changed a week ago).
44 Replies
Replies have been turned off for this discussion
Can someone actually check the logs and compare IPs? It may be related to November '22 Dropbox leak, so attackers may be brute-forcing passwords. It's very indicative from the previous posts that many users actually did not use their accounts at all (like me) and received messages.
Those are serious issues and our concerns are valid. Dropbox should be more transparent and provide additional information and explain what is going on. Just to note that email correspondence was useless (you tried to log in, those are our security measures and other nonsense).
The crucial question is: did someone try to brute-force my password, or it is a bug? I am completely sure that I did not use this account for months.
Also, this thing bothers me a lot, as user arana mentioned
"The correct password is not a requirement for this one-time code to be sent. "
From security/resources perspective I don't see how it makes sense to send OT code even if the password is not correct? I was trying to replicate this scenario, and I cannot replicate it at all (tried using VPN, different locations etc).
Any chance to get some clarifications from opsec/tech team members?
radenkovic do you have any information or links to that dropbox leak? i could not find it online for some reason.
Regarding checking IP's. It would be great to know which ip's attempted the logins. If someone has a log, please copy paste it here. I have been told that only the highest tier accounts in dropbox have failed login attempt logs. I tried upgrading my account, but it won't show me retroactive data.Yeah at a minimum there should be more information in these emails. In addition to the IP address, the "What" from the "We noticed a new sign in to your Dropbox" or similar.
- Jay
Dropbox Community Moderator
Hi everyone, the correct password isn't required in order for the one time code to be sent via email.
For security reasons we can't provide any information as to what methods Dropbox uses to identify a login as suspicious.
Hi Jay , i am a little confused by your answer.
Does it mean that someone tried to log in to our account, typed the correct email, but the wrong password? Let me know if i understood you correctly.- Jay
Yes, the password for the account doesn't need to be correct in order to receive this email.
Hi Jay , does it mean someone typed my email in dropbox, and then typed the incorrect password?
Or is there any other scenario in which that one time code could be triggered?- Jay
That's correct, though aside from this, there are other items that Dropbox uses to detect a suspicious login attempt.
- So they have “methods” to detect suspicious activity but apparently me trying to login using a VPN from a location I haven’t ever been before isn’t “suspicious” enough to trigger an OTP email?
I’m not buying it, if I had initially received just a single email then I’d most likely ignore it, perhaps change my password but nothing to get worked up about.
But that fact that me and MANY others received not 1, not 2 but THREE consecutive emails with OTP’s in the span of a minute is insanely (as you’d put it) “suspicious”.
We want answers and transparency, this was not someone trying to login using just the email on the off-chance because I’ve already attempted to replicate that, I didn’t receive a single email no matter how many times I tried it or wherever I moved the VPN to.
