cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Share your feedback on the Document Scanning Experience in the Dropbox App right here.

Security and Permissions

Start a discussion in the Dropbox Community forum to get help with your account security and permissions. Find support from Community members.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Received 3 2FA emails in one minute, but 2FA was not enabled on my account

Received 3 2FA emails in one minute, but 2FA was not enabled on my account

radenkovic
Helpful | Level 5

Hi all,

 


A strange thing happened today, I've received 3 emails  in sequence with content:

 

 

 

Hi [MY FIRST NAME],

Finish signing in to Dropbox with this one-time security code:

[ 6 DIGIT CODE]

If you didn't try to sign in, don't worry. You can safely ignore this email.

 

 

 

 

I freaked out because you can receive 2FA only if you enter the correct password. Upon investigating I figured out that my account does NOT have 2FA enabled!!!

 

Adding headers here (redacted):

From: Dropbox <no-reply@dropbox.com>
To: [MY EMAIL]
CC: 
Subject: [6DIGITS CODE] is your Dropbox security code
Date: Mon, 26 Dec 2022 11:03:37 +0000
Message-ID: <010001854e1a3116-24a80716-e9c4-40f4-94d3-1ebadcdc1fa9-000000@email.amazonses.com>
X-Dropbox-Message-ID: 16683002164785652191
Feedback-ID: 1.us-east-1.syWQ1+fF8Wo1tY8y/+s85ptiAKu7bILK6PHyxwpB+xo=:AmazonSES
X-SES-Outgoing: 2022.12.26-54.240.39.228

Headers look legit, it seems that email is not spoofed.

 

Is this some sort of bug, can someone from dev/support can explain what happened? There was this Lastpass breach a few days ago and I am not sure if those are connected.

 

TLDR; Received 2FA emails, however 2FA is not enabled on my account.

 

Just in case I updated my password once again (was changed a week ago).

 

44 Replies 44

Randy90
Helpful | Level 5
So they have “methods” to detect suspicious activity but apparently me trying to login using a VPN from a location I haven’t ever been before isn’t “suspicious” enough to trigger an OTP email?

I’m not buying it, if I had initially received just a single email then I’d most likely ignore it, perhaps change my password but nothing to get worked up about.

But that fact that me and MANY others received not 1, not 2 but THREE consecutive emails with OTP’s in the span of a minute is insanely (as you’d put it) “suspicious”.

We want answers and transparency, this was not someone trying to login using just the email on the off-chance because I’ve already attempted to replicate that, I didn’t receive a single email no matter how many times I tried it or wherever I moved the VPN to.

BabylonBubbles
New member | Level 2

The six-digit code is necessary for every **bleep** login. This hinders my workflow enormously. I've turned the 2fA on and off a few times, but Dropbox insists that I log in this way. I also only work from the same two devices that have permission. No one else has access to it.
I am absolutely annoyed by it. I don't want this! How can I get rid ob this?

Rich
Super User II

@BabylonBubbles wrote:

The six-digit code is necessary for every **bleep** login. ... How can I get rid ob this?


There's two-step verification and there are one-time security codes. Two-step verification is something the user enables and can be turned off. One-time security codes are requested when Dropbox believes a login attempt is suspicious, and cannot be disabled.

MENTZC
Helpful | Level 5

@Randy90 wrote:
We want answers and transparency, this was not someone trying to login using just the email on the off-chance because I’ve already attempted to replicate that, I didn’t receive a single email no matter how many times I tried it or wherever I moved the VPN to.

Yeah I tried as well from a VM created in another country from where I am. The front end doesn't trigger it with an invalid password. Maybe one of the API endpoints does but it is not worth my time to setup a developer account just to test this. 

 

At this point I am just going to delete my account. Even if my account wasn't compromised, and somehow believe the "Just ignore this" email we got 3 times in a row is just their internal system sending emails in error, I just can't trust them anymore.  For all we know they had an internal breach, and they just haven't disclosed it yet. 

willywonka
Helpful | Level 5

I also believe there can be a leak, that they decided to not disclose in order to protect their reputation.

I also decided to delete all my files from dropbox given the lack of transparency in the topic.

Need more support?
Who's talking

Top contributors to this post

  • User avatar
    willywonka Helpful | Level 5
  • User avatar
    MENTZC Helpful | Level 5
  • User avatar
    Rich Super User II
  • User avatar
    BabylonBubbles New member | Level 2
  • User avatar
    Randy90 Helpful | Level 5
What do Dropbox user levels mean?