If the user's computer is compromised, a simple SQLite query run against the Dropbox configuration database would reveal all Dropbox email addresses in use by that user.<p>If the user's email is compromised, the Dropbox confirmation email would be easy to locate and harvest, either from their mailbox, or their mail hosting provider's delivery logs.<p>(Usually, however, malware simply scans for <i>all</i> incoming email addresses, and then reports them to a central authority for later spamming.)<p>EDIT: As pointed out elsewhere in this thread, the email address <dropbox@yourdomain> is trivially guessable by dictionary spam attacks.<p>There are many routes to this information leaking. It is not at all apparent whether it's Dropbox yet.<p>Given that Dropbox security is actively responding in the linked forum, it seems as though this HN post - submitted by one of the users posting in that thread as "affected" - is solely to create "buzz", rather than to share news with Hacker News.
Just searched in my Spam folder for the email address I only use for Dropbox et voilà: I got the spam messages mentioned. After the password-gate last year (<a href="http://blog.dropbox.com/index.php/yesterdays-authentication-bug/" rel="nofollow">http://blog.dropbox.com/index.php/yesterdays-authentication-...</a>) this is the second major security breach by a company I (and many people I know) have a lot of data entrusted to... This really sucks!<p>Whats even worse: The first reports came in (from users!) over one day ago and the forum thread seems to indicate that they still have no clue what happend!<p>[Update] One possibility might be, that dropbox is not the culprit after all but that the spammers started to realize that people use those service-specific addresses more and more and they just send out emails to [some-service-name]@[some-domain]. At least my address is dropbox@[mydomain].<p>So lets hope for that...
While it appears plausible (likely, even) that Dropbox is the source of the disclosure, it's not verifiable as fact until someone identifies the method used to obtain the email addresses. This makes the title inappropriate.<p>Malware frequently targets address books and browser forms as a means of harvesting email addresses. Not saying that it can't be Dropbox, and I'm not saying that it's even unlikely, but years of troubleshooting have taught me not to name the root cause until I can verify it myself. This is even more true when you're putting someone else's reputation on the line.
A quick browse through my domain's catchall spam folder shows an e-mail addressed to techdirt@mypersonaldomain. I don't have a techdirt account -- nor have ever used this e-mail address anywhere. Yes, spam bots make guesses, folks.<p>The Internet would be a better place if people would stop, take a deep breath and think before they type.<p>Good idea: Let the dropbox folks know that you received spam to a custom address tied to their service and let them look into it, whether it be a directed spam campaign or a possible leak.<p>Bad idea: "OMG!!1! Dropbox is pwn3d! Admit it! Apologize for your wrongs!"
I don't see any confirmation in the forum that the "e-mail addresses of users" was leaked by Dropbox. It also appears to be mainly Euro-centric accounts. So while there is certainly a problem and it is very likely originating with Dropbox, the title is quite misleading and overly condemning given the known facts.
I use a specific "MYNAME-dropbox@MYDOMAIN.com" email address for Dropbox and I can confirm that my Dropbox-specific address has NOT received any SPAM messages.<p>The only messages that have ever been sent to that specific address are from Dropbox themselves...
I've had the same issue with box.net a few weeks/months ago. I only signed up for their service and never really used it, and I used a one-off email address that is randomly generated and used only for the service. I do this regularly now. With each service I subscribe to, I first of generate a unique random email address, so if I start to get spam, I can either block this address only, or at least know where it was leaked...
Here's one way to get people's email addresses. For what it's worth, I emailed DropBox about this a long time ago (months ago) and didn't even get a reply to my email!<p>If you use your DropBox referal code, on this page:<p><a href="https://www.dropbox.com/account/bonus" rel="nofollow">https://www.dropbox.com/account/bonus</a><p>You will see a list of peoples email addresses that clicked the link and signed up. Unbeknownst to them you have their email addresses.<p>We have hundreds of these email addresses in our account as we have been promoting DropBox on our website for a long time. The referral status page also shows information about how far through the install they are, when they signed up etc.<p>This is bad because it makes phishing quite easy.<p>Perhaps not the source of the spam, but nonetheless still a bad execution in my opinion.
But this doesn't mean anything though right since all encryption happens clientside right? Oh...wrong service. This is Dropbox so they have the key on their end.