Hi all, A strange thing happened today, I've received 3 emails in sequence with content: Hi [MY FIRST NAME], Finish signing in to Dropbox with this one-time security code: [ 6 DIGIT CODE] If you didn't try to sign in, don't worry. You can safely ignore this email. I freaked out because you can receive 2FA only if you enter the correct password. Upon investigating I figured out that my account does NOT have 2FA enabled!!! Adding headers here (redacted): From: Dropbox <no-reply@dropbox.com> To: [MY EMAIL] CC: Subject: [6DIGITS CODE] is your Dropbox security code Date: Mon, 26 Dec 2022 11:03:37 +0000 Message-ID: <010001854e1a3116-24a80716-e9c4-40f4-94d3-1ebadcdc1fa9-000000@email.amazonses.com> X-Dropbox-Message-ID: 16683002164785652191 Feedback-ID: 1.us-east-1.syWQ1+fF8Wo1tY8y/+s85ptiAKu7bILK6PHyxwpB+xo=:AmazonSES X-SES-Outgoing: 2022.12.26-54.240.39.228 Headers look legit, it seems that email is not spoofed. Is this some sort of bug, can someone from dev/support can explain what happened? There was this Lastpass breach a few days ago and I am not sure if those are connected. TLDR; Received 2FA emails, however 2FA is not enabled on my account. Just in case I updated my password once again (was changed a week ago).

Hi, I had the exact same problem, 3 emails within 1-2 minutes. And it was definetely not me.I contacted support and they were completely useless. I even upgraded my account just to be able to chat to support, as someone having my password would require me to update a lot of accounts not just dropbox, but nobody was able to give me a straight answer.Here is what i have found so far per dropbox's own FAQs.https://help.dropbox.com/account-access/one-time-code There are 2 types of emails, one that says something like "if it was not you, click here to change your password", and the other one that says "if it was not you, don't worry".But why on earth would i not worry if someone compromised my password? Makes no sense.So i try to understand, in what situation would this email be triggered, unless someone has my password?On a final note: I did today try to log in myself, from an unusual browser and using a vpn, in order to trigger a warning on purpose. I did receive the email that says something like "if it was not you, click here". So this confirms, if someone has your password, you will receive that kind of email. But the question remains, what is the point of the other email that says "don't worry"?If anyone can answer this question would be great, because i totally freaked out over the last few days trying to find the answer to this. thank you!

Randy90 wrote:We want answers and transparency, this was not someone trying to login using just the email on the off-chance because I’ve already attempted to replicate that, I didn’t receive a single email no matter how many times I tried it or wherever I moved the VPN to.Yeah I tried as well from a VM created in another country from where I am. The front end doesn't trigger it with an invalid password. Maybe one of the API endpoints does but it is not worth my time to setup a developer account just to test this. At this point I am just going to delete my account. Even if my account wasn't compromised, and somehow believe the "Just ignore this" email we got 3 times in a row is just their internal system sending emails in error, I just can't trust them anymore. For all we know they had an internal breach, and they just haven't disclosed it yet.

Walter Rich sorry guys for bugging you again but It's very likely that you have some bug/security issue on the platform. In this reddit post, more people are complaining about the same thing:https://www.reddit.com/r/dropbox/comments/y3rl64/dropbox_spamming_dropbox_security_code_emails/- I also received 3 emails in one minute- No signs of compromise- Reddit post (screenshot is dated 27Dec), mine happened on 26Dec ANOTHER UPDATE:https://www.dropboxforum.com/t5/Security-and-Permissions/I-want-to-review-sign-in-attempts/td-p/646015Exactly the same behavior reported during the last week on your forums.- Also 3 emails in one minute Please report this to developers/security, this incident should be reviewed because there may be a way to compromise user accounts and bypass password.

"Someone has access to your password but don't worry they can't yet get to your dropbox account" is not a good message to receive in an email.

Hi radenkovic, I just sent you an email. Reply back to me, and we'll take it from there!

Forum Discussion

radenkovic

Helpful | Level 5

3 years ago

Received 3 2FA emails in one minute, but 2FA was not enabled on my account

Hi all,

A strange thing happened today, I've received 3 emails in sequence with content:

Hi [MY FIRST NAME],

Finish signing in to Dropbox with this one-time security code:

[ 6 DIGIT CODE]

If you didn't try to sign in, don't worry. You can safely ignore this email.

I freaked out because you can receive 2FA only if you enter the correct password. Upon investigating I figured out that my account does NOT have 2FA enabled!!!

Adding headers here (redacted):

From: Dropbox <no-reply@dropbox.com>
To: [MY EMAIL]
CC: 
Subject: [6DIGITS CODE] is your Dropbox security code
Date: Mon, 26 Dec 2022 11:03:37 +0000
Message-ID: <010001854e1a3116-24a80716-e9c4-40f4-94d3-1ebadcdc1fa9-000000@email.amazonses.com>
X-Dropbox-Message-ID: 16683002164785652191
Feedback-ID: 1.us-east-1.syWQ1+fF8Wo1tY8y/+s85ptiAKu7bILK6PHyxwpB+xo=:AmazonSES
X-SES-Outgoing: 2022.12.26-54.240.39.228

Headers look legit, it seems that email is not spoofed.

Is this some sort of bug, can someone from dev/support can explain what happened? There was this Lastpass breach a few days ago and I am not sure if those are connected.

TLDR; Received 2FA emails, however 2FA is not enabled on my account.

Just in case I updated my password once again (was changed a week ago).

account access

security

44 Replies

Replies have been turned off for this discussion

BabylonBubbles
New member | Level 2
3 years ago
The six-digit code is necessary for every **bleep** login. This hinders my workflow enormously. I've turned the 2fA on and off a few times, but Dropbox insists that I log in this way. I also only work from the same two devices that have permission. No one else has access to it.
I am absolutely annoyed by it. I don't want this! How can I get rid ob this?
Rich
Super User II
3 years ago
BabylonBubbles wrote:

The six-digit code is necessary for every **bleep** login. ... How can I get rid ob this?

There's two-step verification and there are one-time security codes. Two-step verification is something the user enables and can be turned off. One-time security codes are requested when Dropbox believes a login attempt is suspicious, and cannot be disabled.
MENTZC
Helpful | Level 5
3 years ago
Randy90 wrote:
We want answers and transparency, this was not someone trying to login using just the email on the off-chance because I’ve already attempted to replicate that, I didn’t receive a single email no matter how many times I tried it or wherever I moved the VPN to.
Yeah I tried as well from a VM created in another country from where I am. The front end doesn't trigger it with an invalid password. Maybe one of the API endpoints does but it is not worth my time to setup a developer account just to test this.

At this point I am just going to delete my account. Even if my account wasn't compromised, and somehow believe the "Just ignore this" email we got 3 times in a row is just their internal system sending emails in error, I just can't trust them anymore. For all we know they had an internal breach, and they just haven't disclosed it yet.
willywonka
Helpful | Level 5
3 years ago
I also believe there can be a leak, that they decided to not disclose in order to protect their reputation.

I also decided to delete all my files from dropbox given the lack of transparency in the topic.

About Security and Permissions

Start a discussion in the Dropbox Community forum to get help with your account security and permissions. Find support from Community members.

The Dropbox Community team is active from Monday to Friday. We try to respond to you as soon as we can, usually within 2 hours.

If you need more help you can view your support options (expected response time for an email or ticket is 24 hours), or contact us on X, Facebook or Instagram.

For more info on available support options for your Dropbox plan, see this article.

If you found the answer to your question in this Community thread, please 'like' the post to say thanks and to let us know it was useful!

Forum Discussion

Received 3 2FA emails in one minute, but 2FA was not enabled on my account

44 Replies

About Security and Permissions

Related Content

Backup every 15 minutes option not available once you surpass 1TB?

Opening the Dropbox folder enables Num Lock.

Receiving hundreds of emails

Capture limited to 120 minutes now

Not receiving 6 digit verification code

Recent Discussions

I need help accessing my Dropbox account. No access to email, so I can't receive the security code.

Can't access account under deleted email

Not receiving the 6-digit security code so I can't access my account.

Can I access my old Dropbox account on my new PC?

Does deleting a member delete files they uploaded to our Team Folder?