cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Share your feedback on the Document Scanning Experience in the Dropbox App right here.

Security and Permissions

Start a discussion in the Dropbox Community forum to get help with your account security and permissions. Find support from Community members.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Received 3 2FA emails in one minute, but 2FA was not enabled on my account

Received 3 2FA emails in one minute, but 2FA was not enabled on my account

radenkovic
Helpful | Level 5

Hi all,

 


A strange thing happened today, I've received 3 emails  in sequence with content:

 

 

 

Hi [MY FIRST NAME],

Finish signing in to Dropbox with this one-time security code:

[ 6 DIGIT CODE]

If you didn't try to sign in, don't worry. You can safely ignore this email.

 

 

 

 

I freaked out because you can receive 2FA only if you enter the correct password. Upon investigating I figured out that my account does NOT have 2FA enabled!!!

 

Adding headers here (redacted):

From: Dropbox <no-reply@dropbox.com>
To: [MY EMAIL]
CC: 
Subject: [6DIGITS CODE] is your Dropbox security code
Date: Mon, 26 Dec 2022 11:03:37 +0000
Message-ID: <010001854e1a3116-24a80716-e9c4-40f4-94d3-1ebadcdc1fa9-000000@email.amazonses.com>
X-Dropbox-Message-ID: 16683002164785652191
Feedback-ID: 1.us-east-1.syWQ1+fF8Wo1tY8y/+s85ptiAKu7bILK6PHyxwpB+xo=:AmazonSES
X-SES-Outgoing: 2022.12.26-54.240.39.228

Headers look legit, it seems that email is not spoofed.

 

Is this some sort of bug, can someone from dev/support can explain what happened? There was this Lastpass breach a few days ago and I am not sure if those are connected.

 

TLDR; Received 2FA emails, however 2FA is not enabled on my account.

 

Just in case I updated my password once again (was changed a week ago).

 

44 Replies 44

Randy90
Helpful | Level 5
I can also confirm when attempting to login to my account with an incorrect password it does not trigger the verification email that I received prior, even when using a VPN so there can be no excuse such as it knowing my original IP address that it wouldn’t need to verify it via email.

To the Moderators/Staff saying it’s just because of an unsuccessful sign-in attempt, you’ve been clearly proven wrong, why would you even NEED a verification number anyway if the login attempt wasn’t using the correct password and therefore unsuccessful?

This needs a serious investigation and not just palmed off with “oh it’s probably just because x”, there’s been even more people replying with the exact same issue even some that don’t even use their account that much.

Megan
Dropbox Staff

Hi @Randy90, how are you today?

 

Can I reach out to you, in order for us to investigate further via email?

 

Keep me posted!


Megan
Community Moderator @ Dropbox
dropbox.com/support


Heart Did this post help you? If so, give it a Like below to let us know.
:arrows_counterclockwise: Need help with something else? Ask me a question!
:pushpin: Find Tips & Tricks Discover more ways to use Dropbox here!
:arrows_counterclockwise: Interested in Community Groups? Click here to join!

radenkovic
Helpful | Level 5

Can someone actually check the logs and compare IPs? It may be related to November '22 Dropbox leak, so attackers may be brute-forcing passwords. It's very indicative from the previous posts that many users actually did not use their accounts at all (like me) and received messages. 

 

Those are serious issues and our concerns are valid. Dropbox should be more transparent and provide additional information and explain what is going on. Just to note that email correspondence was useless (you tried to log in, those are our security measures and other nonsense).  

 

The crucial question is: did someone try to brute-force my password, or it is a bug? I am completely sure that I did not use this account for months.

 

Also, this thing bothers me a lot, as user @arana mentioned

"The correct password is not a requirement for this one-time code to be sent. "

From security/resources perspective I don't see how it makes sense to send OT code even if the password is not correct? I was trying to replicate this scenario, and I cannot replicate it at all (tried using VPN, different locations etc).

 

Any chance to get some clarifications from opsec/tech team members?

 

 

willywonka
Helpful | Level 5

@radenkovic do you have any information or links to that dropbox leak? i could not find it online for some reason.

Regarding checking IP's. It would be great to know which ip's attempted the logins. If someone has a log, please copy paste it here. I have been told that only the highest tier accounts in dropbox have failed login attempt logs. I tried upgrading my account, but it won't show me retroactive data.

MENTZC
Helpful | Level 5

Yeah at a minimum there should be more information in these emails. In addition to the IP address, the "What" from the "We noticed a new sign in to your Dropbox" or similar. 

 

 

 

Jay
Dropbox Staff

Hi everyone, the correct password isn't required in order for the one time code to be sent via email.

 

For security reasons we can't provide any information as to what methods Dropbox uses to identify a login as suspicious.


Jay
Community Moderator @ Dropbox
dropbox.com/support


Heart Did this post help you? If so, give it a Like below to let us know.
:arrows_counterclockwise: Need help with something else? Ask me a question!
:pushpin: Find Tips & Tricks Discover more ways to use Dropbox here!
:arrows_counterclockwise: Interested in Community Groups? Click here to join!

willywonka
Helpful | Level 5

Hi @Jay , i am a little confused by your answer.
Does it mean that someone tried to log in to our account, typed the correct email, but the wrong password? Let me know if i understood you correctly.

Jay
Dropbox Staff

Yes, the password for the account doesn't need to be correct in order to receive this email. 


Jay
Community Moderator @ Dropbox
dropbox.com/support


Heart Did this post help you? If so, give it a Like below to let us know.
:arrows_counterclockwise: Need help with something else? Ask me a question!
:pushpin: Find Tips & Tricks Discover more ways to use Dropbox here!
:arrows_counterclockwise: Interested in Community Groups? Click here to join!

willywonka
Helpful | Level 5

Hi @Jay , does it mean someone typed my email in dropbox, and then typed the incorrect password?
Or is there any other scenario in which that one time code could be triggered?

 

 

Jay
Dropbox Staff

That's correct, though aside from this, there are other items that Dropbox uses to detect a suspicious login attempt.


Jay
Community Moderator @ Dropbox
dropbox.com/support


Heart Did this post help you? If so, give it a Like below to let us know.
:arrows_counterclockwise: Need help with something else? Ask me a question!
:pushpin: Find Tips & Tricks Discover more ways to use Dropbox here!
:arrows_counterclockwise: Interested in Community Groups? Click here to join!

Need more support?
Who's talking

Top contributors to this post

  • User avatar
    willywonka Helpful | Level 5
  • User avatar
    MENTZC Helpful | Level 5
  • User avatar
    Rich Super User II
  • User avatar
    BabylonBubbles New member | Level 2
  • User avatar
    Randy90 Helpful | Level 5
What do Dropbox user levels mean?