Security and Permissions
Start a discussion in the Dropbox Community forum to get help with your account security and permissions. Find support from Community members.
A strange thing happened today, I've received 3 emails in sequence with content:
Hi [MY FIRST NAME], Finish signing in to Dropbox with this one-time security code: [ 6 DIGIT CODE] If you didn't try to sign in, don't worry. You can safely ignore this email.
I freaked out because you can receive 2FA only if you enter the correct password. Upon investigating I figured out that my account does NOT have 2FA enabled!!!
Adding headers here (redacted):
From: Dropbox <email@example.com> To: [MY EMAIL] CC: Subject: [6DIGITS CODE] is your Dropbox security code Date: Mon, 26 Dec 2022 11:03:37 +0000 Message-ID: <firstname.lastname@example.org> X-Dropbox-Message-ID: 16683002164785652191 Feedback-ID: 1.us-east-1.syWQ1+fF8Wo1tY8y/+s85ptiAKu7bILK6PHyxwpB+xo=:AmazonSES X-SES-Outgoing: 2022.12.26-18.104.22.168
Headers look legit, it seems that email is not spoofed.
Is this some sort of bug, can someone from dev/support can explain what happened? There was this Lastpass breach a few days ago and I am not sure if those are connected.
TLDR; Received 2FA emails, however 2FA is not enabled on my account.
Just in case I updated my password once again (was changed a week ago).
Received 2FA emails, however 2FA is not enabled on my account.
That's not a two-step verification email. That's a one-time security code email. Similar, but different. You don't need to have two-step verification enable to receive the one-time security code. Dropbox will request a code if they feel a login attempt is suspicious.
Even though they didn't get in to your account, you probably should review the active sessions and devices linked to your account, and change your password. You can do both from your Security page.
Thanks Rich! Does that mean that the malicious actor entered the correct password?
Just FYI I changed my password after the incident and enabled 2FA. Also, there are no suspicious sessions/logins on my account (active sessions).
Is there any chance that you had previously stored your Dropbox password somewhere that was accessible by another user/person?
If you don’t see any trace of another device/browser on your Security tab though, it means that no one else managed to log in to your Dropbox account.
Also, good thinking on resetting your Dropbox password/enabling 2FA; that should do it.
@Nancy, thanks for your input! I don't have any files on that dropbox account and have decent security practices (using password manager, not reusing passwords etc), it may be that I'm compromised, but I doubt it, that's why I am checking.
Is it possible to check logs with timestamp from my first post and confirm that someone actually tried to login with correct pw?
Hey @radenkovic, sorry to jump in, but I just wanted to confirm that the email you received seems to have come from an official Dropbox domain.
Just in case, you can change your account's password as the one time code that was sent to you would indeed only be sent if the password entered was correct.
The only timestamps about this incident you can check are the ones from any email you may have received during that time while you could also check your account's Security page for any web sessions that you don't recognize etc.
I hope this helps!
Thanks Walter! I've already updated the password, second time this week.
There were no suspicious sessions on my account (also there are 0 files in my dropbox so nothing really to compromise).
Just to mention that I am well-seasoned with OpSec and worked on many anti-fraud/phishing/scam projects, and was genuinely worried if I'm targeted as a revenge or something. The password itself was brute-force proof and autogenerated (16+ chars, a-Z0-9 and symbols), not stored anywhere except in my password manager (I suspected that it was compromised but it's unlikely), no traces of malware on my computer, and no other accounts from the manager were compromised (although I changed all the passwords and moved to local pw manager).
In this reddit post, more people are complaining about the same thing:
- I also received 3 emails in one minute
- No signs of compromise
- Reddit post (screenshot is dated 27Dec), mine happened on 26Dec
Exactly the same behavior reported during the last week on your forums.
- Also 3 emails in one minute
Please report this to developers/security, this incident should be reviewed because there may be a way to compromise user accounts and bypass password.
I had the exact same problem, 3 emails within 1-2 minutes. And it was definetely not me.
I contacted support and they were completely useless. I even upgraded my account just to be able to chat to support, as someone having my password would require me to update a lot of accounts not just dropbox, but nobody was able to give me a straight answer.
Here is what i have found so far per dropbox's own FAQs.
There are 2 types of emails, one that says something like "if it was not you, click here to change your password", and the other one that says "if it was not you, don't worry".
But why on earth would i not worry if someone compromised my password? Makes no sense.
So i try to understand, in what situation would this email be triggered, unless someone has my password?
On a final note: I did today try to log in myself, from an unusual browser and using a vpn, in order to trigger a warning on purpose. I did receive the email that says something like "if it was not you, click here". So this confirms, if someone has your password, you will receive that kind of email. But the question remains, what is the point of the other email that says "don't worry"?
If anyone can answer this question would be great, because i totally freaked out over the last few days trying to find the answer to this.
For more info on available support options for your Dropbox plan, see this article.
If you found the answer to your question in this Community thread, please 'like' the post to say thanks and to let us know it was useful!