cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Community
English
Announcements
Are you using the Microsoft co-authoring beta for Dropbox? Share your feedback and learn more about it here.

Security and Permissions

Start a discussion in the Dropbox Community forum to get help with your account security and permissions. Find support from Community members.

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Re: Received 3 2FA emails in one minute, but 2FA was not enabled on my account

Received 3 2FA emails in one minute, but 2FA was not enabled on my account

radenkovic
Helpful | Level 5
‎12-26-2022 04:12 AM

Hi all,

 


A strange thing happened today, I've received 3 emails  in sequence with content:

 

 

 

Hi [MY FIRST NAME],

Finish signing in to Dropbox with this one-time security code:

[ 6 DIGIT CODE]

If you didn't try to sign in, don't worry. You can safely ignore this email.

 

 

 

 

I freaked out because you can receive 2FA only if you enter the correct password. Upon investigating I figured out that my account does NOT have 2FA enabled!!!

 

Adding headers here (redacted):

From: Dropbox <no-reply@dropbox.com>
To: [MY EMAIL]
CC: 
Subject: [6DIGITS CODE] is your Dropbox security code
Date: Mon, 26 Dec 2022 11:03:37 +0000
Message-ID: <010001854e1a3116-24a80716-e9c4-40f4-94d3-1ebadcdc1fa9-000000@email.amazonses.com>
X-Dropbox-Message-ID: 16683002164785652191
Feedback-ID: 1.us-east-1.syWQ1+fF8Wo1tY8y/+s85ptiAKu7bILK6PHyxwpB+xo=:AmazonSES
X-SES-Outgoing: 2022.12.26-54.240.39.228

Headers look legit, it seems that email is not spoofed.

 

Is this some sort of bug, can someone from dev/support can explain what happened? There was this Lastpass breach a few days ago and I am not sure if those are connected.

 

TLDR; Received 2FA emails, however 2FA is not enabled on my account.

 

Just in case I updated my password once again (was changed a week ago).

 

  • 0 Likes
  • 44 Replies
  • 5,225 Views
0 Likes
44 Replies 44

Rich
Super User II
‎12-26-2022 06:03 AM
@radenkovic wrote:

Received 2FA emails, however 2FA is not enabled on my account.

That's not a two-step verification email. That's a one-time security code email. Similar, but different. You don't need to have two-step verification enable to receive the one-time security code. Dropbox will request a code if they feel a login attempt is suspicious.

 

Even though they didn't get in to your account, you probably should review the active sessions and devices linked to your account, and change your password. You can do both from your Security page.

0 Likes

radenkovic
Helpful | Level 5
‎12-26-2022 06:34 AM

Thanks Rich! Does that mean that the malicious actor entered the correct password?  

Just FYI I changed my password after the incident and enabled 2FA. Also, there are no suspicious sessions/logins on my account (active sessions).

0 Likes

Nancy
Dropbox Staff
‎12-26-2022 01:54 PM

Hey @radenkovic

 

Is there any chance that you had previously stored your Dropbox password somewhere that was accessible by another user/person?

 

If you don’t see any trace of another device/browser on your Security tab though, it means that no one else managed to log in to your Dropbox account. 

 

Also, good thinking on resetting your Dropbox password/enabling 2FA; that should do it.

Nancy
Community Moderator @ Dropbox
dropbox.com/support


Heart Did this post help you? If so, give it a Like below to let us know.
:arrows_counterclockwise: Need help with something else? Ask me a question!
:pushpin: Find Tips & Tricks Discover more ways to use Dropbox here!
:arrows_counterclockwise: Interested in Community Groups? Click here to join!

0 Likes

radenkovic
Helpful | Level 5
‎12-26-2022 11:36 PM

@Nancy, thanks for your input! I don't have any files on that dropbox account and have decent security practices (using password manager, not reusing passwords etc), it may be that I'm compromised, but I doubt it, that's why I am checking. 

 

Is it possible to check logs with timestamp from my first post and confirm that someone actually tried to login with correct pw?

0 Likes

Walter
Dropbox Staff
‎12-30-2022 02:15 AM

Hey @radenkovic, sorry to jump in, but I just wanted to confirm that the email you received seems to have come from an official Dropbox domain.

 

Just in case, you can change your account's password as the one time code that was sent to you would indeed only be sent if the password entered was correct. 

 

The only timestamps about this incident you can check are the ones from any email you may have received during that time while you could also check your account's Security page for any web sessions that you don't recognize etc. 

 

I hope this helps!

Walter
Community Moderator @ Dropbox
dropbox.com/support


Heart Did this post help you? If so, give it a Like below to let us know.
:arrows_counterclockwise: Need help with something else? Ask me a question!
:pushpin: Find Tips & Tricks Discover more ways to use Dropbox here!
:arrows_counterclockwise: Interested in Community Groups? Click here to join

0 Likes

radenkovic
Helpful | Level 5
‎12-30-2022 04:52 AM

Thanks Walter! I've already updated the password, second time this week.

There were no suspicious sessions on my account (also there are 0 files in my dropbox so nothing really to compromise). 

 

Just to mention that I am well-seasoned with OpSec and worked on many anti-fraud/phishing/scam projects, and was genuinely worried if I'm targeted as a revenge or something. The password itself was brute-force proof and autogenerated (16+ chars, a-Z0-9 and symbols), not stored anywhere except in my password manager (I suspected that it was compromised but it's unlikely), no traces of malware on my computer, and no other accounts from the manager were compromised (although I changed all the passwords and moved to local pw manager).

 

 

 

0 Likes

radenkovic
Helpful | Level 5
‎12-30-2022 05:08 AM

@Walter   @Rich sorry guys for bugging you again but It's very likely that you have some bug/security issue on the platform.

 

In this reddit post, more people are complaining about the same thing:
https://www.reddit.com/r/dropbox/comments/y3rl64/dropbox_spamming_dropbox_security_code_emails/

- I also received 3 emails in one minute

- No signs of compromise

- Reddit post (screenshot is dated 27Dec), mine happened on 26Dec

 

 

ANOTHER UPDATE:

https://www.dropboxforum.com/t5/Security-and-Permissions/I-want-to-review-sign-in-attempts/td-p/6460...

Exactly the same behavior reported during the last week on your forums.

- Also 3 emails in one minute

 

 

radenkovic_0-1672405577750.png

 

Please report this to developers/security, this incident should be reviewed because there may be a way to compromise user accounts and bypass password. 

 

willywonka
Helpful | Level 5
‎12-30-2022 05:14 PM

Hi, 

 

I had the exact same problem, 3 emails within 1-2 minutes. And it was definetely not me.

I contacted support and they were completely useless. I even upgraded my account just to be able to chat to support, as someone having my password would require me to update a lot of accounts not just dropbox, but nobody was able to give me a straight answer.

Here is what i have found so far per dropbox's own FAQs.

https://help.dropbox.com/account-access/one-time-code

 

There are 2 types of emails, one that says something like "if it was not you, click here to change your password", and the other one that says "if it was not you, don't worry".

But why on earth would i not worry if someone compromised my password? Makes no sense.

So i try to understand, in what situation would this email be triggered, unless someone has my password?

On a final note: I did today try to log in myself, from an unusual browser and using a vpn, in order to trigger a warning on purpose. I did receive the email that says something like "if it was not you, click here". So this confirms, if someone has your password, you will receive that kind of email. But the question remains, what is the point of the other email that says "don't worry"?

If anyone can answer this question would be great, because i totally freaked out over the last few days trying to find the answer to this.

 

thank you!

arana
Helpful | Level 6
‎01-02-2023 01:14 AM

"Someone has access to your password but don't worry they can't yet get to your dropbox account" is not a good message to receive in an email.

Need more support?