Hi all, A strange thing happened today, I've received 3 emails in sequence with content: Hi [MY FIRST NAME], Finish signing in to Dropbox with this one-time security code: [ 6 DIGIT CODE] If you didn't try to sign in, don't worry. You can safely ignore this email. I freaked out because you can receive 2FA only if you enter the correct password. Upon investigating I figured out that my account does NOT have 2FA enabled!!! Adding headers here (redacted): From: Dropbox <no-reply@dropbox.com> To: [MY EMAIL] CC: Subject: [6DIGITS CODE] is your Dropbox security code Date: Mon, 26 Dec 2022 11:03:37 +0000 Message-ID: <010001854e1a3116-24a80716-e9c4-40f4-94d3-1ebadcdc1fa9-000000@email.amazonses.com> X-Dropbox-Message-ID: 16683002164785652191 Feedback-ID: 1.us-east-1.syWQ1+fF8Wo1tY8y/+s85ptiAKu7bILK6PHyxwpB+xo=:AmazonSES X-SES-Outgoing: 2022.12.26-54.240.39.228 Headers look legit, it seems that email is not spoofed. Is this some sort of bug, can someone from dev/support can explain what happened? There was this Lastpass breach a few days ago and I am not sure if those are connected. TLDR; Received 2FA emails, however 2FA is not enabled on my account. Just in case I updated my password once again (was changed a week ago).

Hi, I had the exact same problem, 3 emails within 1-2 minutes. And it was definetely not me.I contacted support and they were completely useless. I even upgraded my account just to be able to chat to support, as someone having my password would require me to update a lot of accounts not just dropbox, but nobody was able to give me a straight answer.Here is what i have found so far per dropbox's own FAQs.https://help.dropbox.com/account-access/one-time-code There are 2 types of emails, one that says something like "if it was not you, click here to change your password", and the other one that says "if it was not you, don't worry".But why on earth would i not worry if someone compromised my password? Makes no sense.So i try to understand, in what situation would this email be triggered, unless someone has my password?On a final note: I did today try to log in myself, from an unusual browser and using a vpn, in order to trigger a warning on purpose. I did receive the email that says something like "if it was not you, click here". So this confirms, if someone has your password, you will receive that kind of email. But the question remains, what is the point of the other email that says "don't worry"?If anyone can answer this question would be great, because i totally freaked out over the last few days trying to find the answer to this. thank you!

Randy90 wrote:We want answers and transparency, this was not someone trying to login using just the email on the off-chance because I’ve already attempted to replicate that, I didn’t receive a single email no matter how many times I tried it or wherever I moved the VPN to.Yeah I tried as well from a VM created in another country from where I am. The front end doesn't trigger it with an invalid password. Maybe one of the API endpoints does but it is not worth my time to setup a developer account just to test this. At this point I am just going to delete my account. Even if my account wasn't compromised, and somehow believe the "Just ignore this" email we got 3 times in a row is just their internal system sending emails in error, I just can't trust them anymore. For all we know they had an internal breach, and they just haven't disclosed it yet.

Walter Rich sorry guys for bugging you again but It's very likely that you have some bug/security issue on the platform. In this reddit post, more people are complaining about the same thing:https://www.reddit.com/r/dropbox/comments/y3rl64/dropbox_spamming_dropbox_security_code_emails/- I also received 3 emails in one minute- No signs of compromise- Reddit post (screenshot is dated 27Dec), mine happened on 26Dec ANOTHER UPDATE:https://www.dropboxforum.com/t5/Security-and-Permissions/I-want-to-review-sign-in-attempts/td-p/646015Exactly the same behavior reported during the last week on your forums.- Also 3 emails in one minute Please report this to developers/security, this incident should be reviewed because there may be a way to compromise user accounts and bypass password.

"Someone has access to your password but don't worry they can't yet get to your dropbox account" is not a good message to receive in an email.

Hi radenkovic, I just sent you an email. Reply back to me, and we'll take it from there!

radenkovic

Helpful | Level 5

3 years ago

Received 3 2FA emails in one minute, but 2FA was not enabled on my account

Hi all,

A strange thing happened today, I've received 3 emails in sequence with content:

Hi [MY FIRST NAME],

Finish signing in to Dropbox with this one-time security code:

[ 6 DIGIT CODE]

If you didn't try to sign in, don't worry. You can safely ignore this email.

I freaked out because you can receive 2FA only if you enter the correct password. Upon investigating I figured out that my account does NOT have 2FA enabled!!!

Adding headers here (redacted):

From: Dropbox <no-reply@dropbox.com>
To: [MY EMAIL]
CC: 
Subject: [6DIGITS CODE] is your Dropbox security code
Date: Mon, 26 Dec 2022 11:03:37 +0000
Message-ID: <010001854e1a3116-24a80716-e9c4-40f4-94d3-1ebadcdc1fa9-000000@email.amazonses.com>
X-Dropbox-Message-ID: 16683002164785652191
Feedback-ID: 1.us-east-1.syWQ1+fF8Wo1tY8y/+s85ptiAKu7bILK6PHyxwpB+xo=:AmazonSES
X-SES-Outgoing: 2022.12.26-54.240.39.228

Headers look legit, it seems that email is not spoofed.

Is this some sort of bug, can someone from dev/support can explain what happened? There was this Lastpass breach a few days ago and I am not sure if those are connected.

TLDR; Received 2FA emails, however 2FA is not enabled on my account.

Just in case I updated my password once again (was changed a week ago).

account access

security

44 Replies

Replies have been turned off for this discussion

Walter
Dropbox Community Moderator
3 years ago
Hey Randy90, thanks for flagging this with us.

Would it be OK if we reached out via email to investigate further?

As for you MichaelEngstler, note that I've just sent you an email, so please have a look at your inbox and we'll take it from there.

Thanks!
MENTZC
Helpful | Level 5
3 years ago
Same thing happened to me over the weekend out of the blue. Feel free to contact me as well.

I know they say "You can safely ignore this email." but this is concerning to me as I need to know the cause.
jmg2
New member | Level 2
3 years ago
Hello, this also occurred for me about 2 hours ago, three consecutive emails within the same minute. May I please be contacted via email?

Thanks
Nancy
Dropbox Community Moderator
3 years ago
Hey MENTZC and jmg2; I’m sorry to hear you’re having the same issue.

Did you check your Security page to make sure there are no unknown devices/browsers linked to your Dropbox account?

Also, is it possible to upload a screenshot of the email you received, so that I can have a look? Just make sure there’s no personal info showing.

Thanks!
MENTZC
Helpful | Level 5
3 years ago
No unknown devices/sessions on my account. I hardly ever log into it, so this is why it was so random to get them.

3 in less than a minute. All different codes.

I cannot be a coincidence that we are all getting exactly 3 in less than a minute. My hope is this is some kind of bug or related to a mobile app or something but "you can safely ignore this email" is horrible advice if an account password was compromised.
arana
Helpful | Level 6
3 years ago
Problem kinda solved, from the support team:
"I would like to let you know that these one-time codes are standard for if any attempt is made to log into an account from a new device. The correct password is not a requirement for this one-time code to be sent.
I can also confirm that your accounts are safe, as long as your email accounts are not compromised - I would strongly suggest that you set up 2FA if you want to secure your account access further. "
willywonka
Helpful | Level 5
3 years ago
Hi Arana, I think this is not a correct answer, I tried to log in putting the wrong password on purpose, and I did not receive any codes. Can you try to log in with a wrong password and let us know if you receive the codes? I was not able to reproduce it
Megan
Dropbox Community Moderator
3 years ago
Hi guys, for anyone still facing this, can I send you an email, in order for us to have a closer look into this?
willywonka
Helpful | Level 5
3 years ago
I am copy pasting the email i received from support down below. However, this email seems quite useless and does not answer the main question which is : How is that email triggered unless someone has the correct password?

I am assuming everyone received the same email as i am pasting here?

---

"Thank you for your patience as we are reviewing your case regarding the emails you received. I am a member of the Dropbox team.

I can confirm that the email that you have received is a legitimate email from Dropbox. You were sent this message because you have recently attempted to log in to your account. You will need to enter this verification code to complete the sign in process. This is not linked to 2 step verification and is an automated safety feature for your account.

We have implemented this to prevent abuse on your account. If you continue to receive these emails and you are not attempting to log in, we would recommend changing the email address connected to your account and securing your account by doing the following:

If you haven't done so already, please change your Dropbox account password, which you can do by clicking the link below and following the on-screen prompts:

https://www.dropbox.com/account/security

Please note: Dropbox recommends strong passwords that are not used for any other website or service. Once you change your password, the change will become effective immediately on all computers and devices linked to your account.

Change the password to the email address you use for your Dropbox account. Again, choose a strong password that you don't use for any other service (including Dropbox).

For added security, we recommend that you enable two-step verification, which protects your account even if your password is compromised. Once enabled, Dropbox will require a six-digit code in addition to your password when signing in to the Dropbox website or linking a new device. To learn more, please see:

https://help.dropbox.com/teams-admins/team-member/enable-two-step-verification

If you are having trouble logging in or if you have any further questions, please let me know and I will be happy to help.

Regards"
Randy90
Helpful | Level 5
3 years ago
I can also confirm when attempting to login to my account with an incorrect password it does not trigger the verification email that I received prior, even when using a VPN so there can be no excuse such as it knowing my original IP address that it wouldn’t need to verify it via email.

To the Moderators/Staff saying it’s just because of an unsuccessful sign-in attempt, you’ve been clearly proven wrong, why would you even NEED a verification number anyway if the login attempt wasn’t using the correct password and therefore unsuccessful?

This needs a serious investigation and not just palmed off with “oh it’s probably just because x”, there’s been even more people replying with the exact same issue even some that don’t even use their account that much.

Forum Discussion

Received 3 2FA emails in one minute, but 2FA was not enabled on my account

44 Replies

About Security and Permissions

Related Content

Backup every 15 minutes option not available once you surpass 1TB?

Opening the Dropbox folder enables Num Lock.

Receiving hundreds of emails

Capture limited to 120 minutes now

Not receiving 6 digit verification code

Recent Discussions

I need help accessing my Dropbox account. No access to email, so I can't receive the security code.

Can't access account under deleted email

Not receiving the 6-digit security code so I can't access my account.

Can I access my old Dropbox account on my new PC?

Does deleting a member delete files they uploaded to our Team Folder?