What I can't seem to wrap my head around is why if someone actually breached DB security that what they'd do with it is send <i>spam</i>. So, to me, that suggests that whatever breach might have occurred must have been minimal or via a non-critical system (i.e.: someone had an unencrypted copy of some set of users email addresses, possibly for marketing purposes, and their machine was compromised, etc.)<p>Otherwise, it just doesn't make sense that <i>spam</i> is the first sign we'd see of problems.<p>So, my fellow HN readers, what's the explanation for this?
Kind of a long shot, but their "forgot password" flow allows for username enumeration attacks:<p><a href="https://www.dropbox.com/forgot" rel="nofollow">https://www.dropbox.com/forgot</a>