Unfortunately I have seen their customer service go downhill recently. Not sure if they are having capacity problems or something. 2 weeks ago I signed up for a trial of Dropbox Teams and it said that after the trial I would be dropped back to my Pro account. I cancelled the trial as had made my mind up not to do it and it dropped me to a free account. Several emails to support, the account manager I'd been provided as part of the Teams setup and I still don't have my Pro account back and have had zero feedback from the. The only email I got was this one which is ridiculous:
Hi,
Thank you for your support request. Recently, we have been receiving a high volume of support requests and haven't been able to get back to you within a reasonable amount of time.
The volume of inquiries we receive on a daily basis prevents us from responding to all requests. Although requests from Pro and Teams users will be given priority assistance, we will do our best to get back to other inquiries when possible. If you are not a Pro or Teams user and you're looking to resolve your issue before we can respond, you may want to check out:
If you need to restore a large number of files and are unable to do so, please visit the following instructions to help us speed up the restoration for you:
If you are still experiencing problems, please reply to this message. We will try our best to get back to you, however we cannot guarantee a response. We're very sorry for the inconvenience.
From this forum "experience", it seems they have copied the Google model of service. They offer the support forum as a major source of support and promote heavy users to moderators or give them some other special flair. Mind you, normal users, without any inside access, information or capabilities. These users then spend their time flagging down support requests and blaming the posters.
The bit where Andy Y. says, "Oh, some spammer just guessed it" was funny. As if spammers needed to do dictionary attacks against the sort of tagged addresses that 0.1% of people use.
But it became hilarious when he said the same thing to the guy who uses 10-random-character tags. As if they would hit upon two different Dropbox addresses like that before the sun cooled to a cider.
The original complainant is much more patient than I am. If that's what I'd gotten as "support" on a paid service when reporting a security breach, I would have closed my account and told them to get fucked.
"The original complainant is much more patient than I am. If that's what I'd gotten as "support" on a paid service when reporting a security breach, I would have closed my account and told them to get fucked."
I agree with the end part of your response, but it's unknown if Forrest is a paid customer.
To defend Dropbox here, those people are forum moderators and not employees of Dropbox. The first Dropbox employee to respond specifically apologized for those responses. Jumping on Dropbox for this is just going to harm other companies responding to customer support requests in a timely fashion before lawyers get a chance to review...
> "those people are forum moderators and not employees of Dropbox"
They're official representatives of Dropbox, even if they are unpaid. Their behavior is entirely on Dropbox, and the fact that Dropbox has farmed out its customer support to unpaid amateurs is possibly a worse realization than the fact that the clueless person was not an employee.
Eh not really. They are community volunteers. The best part is that they can give free support in the forums without pay, and then when something esclates and they've done something wrong an actual employee can wash their hands of the situation (as they've done here) by stating they aren't actually employed by the company.
So it's a win win for Dropbox. Free forum support for low level day to day forum chatter and easily absolvable of any wrongdoing if they screw up.
That's the price of trying to provide a vital service free with some clueless, non-paid "customers". I mean, frontpage of HN with zillion upvotes and comments, after you fail to support customers.
Whether it's a win or loss for Dropbox depends on the public's reaction to it. I'm totally with potatolicious here: It's a dropbox site, and these people have a special status (moderator) which I automatically assume is conferred upon them by Dropbox. So their behavior is "on" dropbox- whether dropbox wants it to be or not. Even if my assumption is wrong, it's still on Dropbox.
The only question is, are people going to hold them accountable or not (by finding other solutions). I don't use them (I do my own syncing) and this display warns me off of starting to use them any time in the near future.
Yeah thats exactly what happened :) No other way to contact them and the account manager I dealt with hasn't responded either. Just counted and I've sent them 6 emails so far and zero response. Its such as shame as I have raved over Dropbox (partly as its Python which I also love), have 4 Pro accounts with my team and we were looking to sign up with 15 users to a Teams account. Looks like I'll be moving somewhere else now which is a real shame.
If you'd truly get a faster response being a Pro member, then it might be worth a shot to purchase Pro again - then when they respond, have them refund you and reset your account back to it's previous time left for your membership.
I really dislike this idea that if the company fail you deliver a product you have paid for, a individual should just pay them again for the same product.
Taking money and then fail to deliver service or product is the very definition of scam/theft. But beyond having the state putting down regulations, is there any actions people can do without putting themselves at even higher risk (like bans)?
Thats a great idea. I've been too close to this (stupid?) to even think of that. I'll get them to do that. Fingers crossed that will help, but I also feel the damage has been done in terms of my feelings towards them. I have spent part of today looking at alternatives. Thanks again
If you don't care about using them in the future, just send a legal document requesting either reinstated service or refund. Of course, they might just then ban you for life for do so.
I am offering an alternative suggestion to a person who is not happy with dropbox's customer service. He/she has the smarts to decide whether a new service is worth a try. My affiliation is irrelevant. Can u guarantee the readers who downvoted me are not affiliated with dropbox or positively biased towards dropbox. You are no different from the dropbox forum moderators.
Yes, your affiliation is quite relevant. When you are talking about something when you have a clear conflict of interest, you need to disclose it. Then at least the reader has the right context in which to make a decision.
When you post w/o disclosing, you make it seem like someone from this community has found your product interesting and is suggesting others try it. Instead of working for a company and trying to drum up business while disparaging a competitor.
Seriously, things like this reduces the likelihood that I'll ever try Tonido to nil. All you had to do was add "disclosure: I work for Tonido" to your post, if that is the case.
"your affiliation is quite relevant. When you are talking about something when you have a clear conflict of interest, you need to disclose it. Then at least the reader has the right context in which to make a decision."
I used to think the way you do. Then I entered the financial world. At this point, I've seen so many people talk up their positions without disclosing that I automatically assume everyone has a conflict of interest. Then something really strange happened: I stopped caring about the affiliations and really focused on the veracity of their statements.
I recommend you read http://hastebin.com/raw/gefuxumubu, which is a copy of the zerohedge.com conflicts of interest policy. We are all adults here, and a person's persuasion shouldn't somehow affect your ability to make a rational analysis of the arguments that a person lays out.
In this case, if you bothered to look at the offering, you would see that it indeed obviates the problem that dropbox has all of your emails: when you self-host, the accounts are stored on your servers
Note that I haven't actually tried the service, but this is based on my understanding of the offering. There may be vulnerabilities in their implementation. Who knows. But to immediately dismiss a remark because of a conflict of interest doesn't change the fact that the argument may be factually correct and germane.
I've never seen someone use tldr; to send someone to a different link :)
My response is that it is all about context and community norms. Here, on HN, the norm is that if you're going to bash someone, and you work for a competitor, you disclose that. If you can't pass that small ethical hurdle, there are other companies I can send my money to. (Not to mention, That I consider it uncouth to bash a competitor like that)
In the financial world, things are probably different and you just assume some level of conflict from the beginning. And that's fine, so long as everyone knows the ground rules.
I've actually looked into Tonido a couple of times, so I already knew what the service was. I have a friend who was all ready to buy one of their plugs for their lab when their university got hooked up with Box.net (I think).I probably wouldn't have thought to question them had a) I not already known what Tonido was and b) they had already been downvoted, so I wasn't the only o e to put it together. For some reason, I always had reservations about it, and so this just cemented an already held feeling.
But, you are quite right that different communities have different norms.
Then something really strange happened: I stopped caring about the affiliations and really focused on the veracity of their statements.
But it's not just how truthful the statement is, it also covers "why am I considering this statement at all?".
And the answer "because someone I trust has had the same problem, considered the available options, and recommends X" is very different to "because someone who works for X says use X".
If you spent your entire life only listening to those that you "trust" and if you define trust in terms of those that agree with you, you end up in an intellectual bubble. It is incredibly important that you at least consider what people are saying.
I downvoted you. I'm not affiliated with dropbox. Your affiliation IS relevant when promoting services, because it means it's not an honest recommendation from a happy user, it's paid shilling.
If you don't understand the difference - or more importantly why one of them bothers people and the other doesn't, you need to stop doing marketing or promotion really quickly. You're going to tarnish the brand of the product you're trying to push.
Do you want people's only lasting impression of Tonido to be 'oh, that's that company that was astroturfing Hacker News'?
I think the wording was poor, but reading into the website offering it is clear that the company doesn't have access to the local credentials. In this case, since the alternative doesn't suffer from the problem at hand, I think it's fair for him to mention the alternative.
I see your intention, but the issue is not this post alone. Take a look at minm's comment history and you'll see 90% of his posts are promoting Tonido: http://news.ycombinator.com/threads?id=minm
I didn't downvote his post at first because it sounded like a genuine suggestion. I consider myself deceived.
The only way in which you could have been deceived is if you went into the discussion assuming no conflict of interest. Years of dealing with financial media and experts has rendered me incredibly cynical, so I focused on the author's claims (which, in this case, are true -- If the product acts as the website claims, the self-hosted solutions store credentials on your servers and not theirs.)
I recommend you read http://hastebin.com/raw/gefuxumubu, the zerohedge.com conflict of interest policy, for it drives home the key point that if you assume everyone has a conflict of interest you won't be deceived and you can focus on what was actually said
You've made the mistake of finding a rule that works in a particular environment and trying to apply it in all situations. The HN community is nothing like the financial industry. Applying that level of cynicism to all aspects of life is likely to have a damaging effect to both you and the communities we live in.
"The HN community is nothing like the financial industry."
Oh how I wish that were the case, but there's a really strong mapping from HN and SV to finance (too much to mention in a reply, but I may try to flesh it out in a blog post one day)
I did read that after seeing it in another thread. Thankfully HN is nothing like the financial world. I might enter a marketing forum with that mindset, but knowledge and recognition are the currencies here, not money, so the rules are a bit different.
I wish it were the case. But please analyse majority of the top posts in HN with an open mind. One can clearly see the connection SV --> Funding --> YC --> TC. The outsiders are treated or ignored like pariahs. Have you heard a term "Made in SV". It may be subtle. But it is there.
I think you really poorly started the discussion. You should have made it clear exactly why your product is better suited to handle the problem. If you said something like
"We've seen many companies leak or improperly use your email addresses and other personal informations. The best solution is to host your own. Check out _____"
That would have been a proper sequitur and wouldn't come off as arbitrary pumping.
You just need to add an additional line such as, "I've used product x and it's a brilliant alternative" or "I develop product x and would love your feedback" or "I'm the CTO of..."
I've been unimpressed by Dropbox's support ever since my attempt to upgrade to 80 team users (which wasn't possible via their site in 2011) revealed an internal culture of indifference, buck-passing, and reflexively blaming the customer.
I wouldn't be surprised if they are having problems finding support staff. I believe it was late 2011 or early 2012 they were advertising customer support positions and wanted someone with a CompSci degree and like 2 years of experience just to do customer support.
The way the moderators handled this was pretty damn bad. Two different users tell the moderator they use UNIQUE e-mail addresses for dropbox only, and they received spam roughly at the same time and yet the moderator answers by assuming the users are idiots.
Yup, especially Chris' behaviour is a no go. I don't know how the mods are affiliated with dropbox but if they are employees I wouldn't let them have any customer contact at all.
I was wary of this thread showing up on HN because I felt I was a bit unkind when posting in that thread, but Chris' comment towards me seemed completely unjustified. And he deleted a prior post along the same lines, hence why I quoted him on my next post.
I also use unique addresses for every site, and while my Dropbox email wasn't compromised, I've occasionally gotten that response from tech support elsewhere.
You mean that tim-somespecificsite@mydomain.com was randomly compromised, but NO OTHER random email was mailed to me? No, that's not how spammers work. If they'd decided to spam tim-*, I would have gotten hundreds of emails...sigh...
Looks like Chris is battening down the hatches. His linked site[1] was up about an hour ago, but it redirects to a placeholder now. Also, he's deleted all but his first comment, wish I'd taken a screenshot of his other comments.
Tangentially related: It drives me nuts to deal with people whose default answers are "no," "you must be doing it wrong" and so on. Particularly the moderators who insisted someone must have guessed a ten digit random email address -- because Dropbox and its vendors couldn't POSSIBLY have ever done anything wrong, and it's MUCH more likely that a spammer magically brute-forced a 10 billion combination address! Grrr. I'm not sure what the right word is to describe that sort of personality, but such people should never have contact with customers. Or with me.
It's not just a 10-character address. It's a 10-character address on a non-standard domain (or so the conversation led me to believe). All without getting another email on that domain's catch-all address. If it was a spammer, who randomly-generated addresses on this domain, I would imagine that they would have been shotgunned across the whole domain. Not just hit that one single address.
They have a title, and that must mean they have authority. Volunteers are a fine thing, but make sure the title listed has the word "volunteer" in it else they will taken for employees.
On a side note, why the heck does dropbox have volunteers running their support forum? At this stage, cost savings isn't worth the reputation hit.
"On a side note, why the heck does dropbox have volunteers running their support forum?"
If I had to guess - I'd suspect three or four "nines" of their customer support workload comes from their "free tier" non-customers. (Having said that, there's evidence upthread in these HN discussions saying they're also dropping the support ball for paying, even team-account-sized paying customers - that's not OK...)
Doesn't really matter for dropbox users though. They're the people the seller is putting in charge of being its face in the support place, and they're awful.
The way some people do "fredsmith+amazon@gmail.com" as proof that it must be amazon that leaks their passwords has some issues.
The guy who says that he had a truly random bunch of letters as his dropbox account is probably a better indicator, but it's hard to know if the guy ever leaked it himself.
Doesn't excuse the moderators being jerks, though.
When I try subaddressing as I try to sign up for new online services, more often than not that address format is rejected as invalid. Most online services don't have very good email validation.
Use a whole domain name, e.g. signup for dropbox with dropbox@tokenadult.com. You could do this with Google Apps Gmail by setting a catch-all forwarding address for the domain.
I use a sub-domain (e.g. @m.mydomain.com) for my catch-all and this hasn't happened to me. There are various easy ways for spammers to find out about domains, but sub-domains can remain relatively obscure.
Or worse, using <randomchars>@somesubdomain.example.com as the SENDER address on spam to others. I once had spammers find a subdomain that accepted wildcard emails, and the backscatter was just insane. Had to spend a whole day trying to make a list of valid <usernames>@ on that subdomain to whitelist to put an end to it. (Not easy if you haven't already been keeping track of which addresses you've handed out throughout the years)
I have a setup like that, I get more spam because of that of course but Google is really good at filtering it. And especially in conjunction with priority inbox, it's a breeze (and very convenient).
Yeah, I've got postfix setup so I just need to add a line to a textfile with "servicename.somerandomchars[1]@mydomain" and it's starting to route to my inbox.
When an address is "compromised" and starts to receive spam, I move the line to a "banned_recipients" file with an SMTP reject header listing the new email. That way, a human using an old address would get a bounce back with the new email.
[1] so that the argument about bruteforcing "common-service@domainname" can be avoided
That's a nice technique; thanks for sharing it. This kind of flexibility is one of the many benefits of running your own mail server (I'm always happy to see that at least some people here are still doing that).
If you run postfix you can have that even easier; look for smtpd_recipient_restrictions and check_recipient_access in 'man 5 postconf'.
I'm running with this rule in the access map:
/^from-.*@foobar.com$/ OK
That accepts all mail to an address prefixed with "from-" and (by default) rejects everything else. This way you can just make up the dummy-addresses on the fly.
I remember being slightly worried about using such a simple prefix when setting it up initially. However I have never received mail to a from-* address that I didn't "create". Not once in over 6 years.
And disabling an address that has turned spammy is as easy as:
/^from-stuffit-expander@foobar.com$/ 554 No thanks.
It's actually _not_ because their validation sucks, but because salespeople decided that it means you won't read their newsletter or other spam. They understand the situation as - hi, this is my email please use that subaddress so I can mark it as spam (yes, I know that spam filters don't need subadresses - but try to explain it to an average salesdude - I've tried).
I have anything sent to any address at my vanity domain forwarded to gmail. I use the name of the website and add e.g. ".shop@mydomain.tld" or ".bank@mydomain.tld" so I can apply different labels to them in gmail. It works great except I chose a .info domain which some sites don't recognise as valid.
I should also have said that this system means that for forums I feel safe enough using the same password on all sites as it will never be linked with the same address. (I still use a different (predictable for me) password for banking/ecommerce websites)
These (the dot and underscore separators) are a great solution, because when the spam-happy-marketroids try to get the webdevs to intentionally implement broken email address validation, they can point out all the corporate email addresses which are by-policy of the form "firstname.lastname@domain.tld"…
Yeah, so much for RFC2822. Oh well, apparently, some spammers are clever enough to grep the emails with "+" and throw away the obvious additional portion.
Some of the posters seem to be saying they have received spam on a single, dropbox-specific address on their own domains, though, presumably with catch-all email, so that an attacker wouldn't just have had to guess fredsmith.dropbox@fredsmith.com, but also not tried a single other address @fredsmith.com
Speaking of which, this alias system from google is great in theory, but kind of pointless in practice; spammers can easily figure out they can just remove everything from the + sign, including the sign itself, and boom, they have my address without the specific alias.
It's pointless in practice in theory; in practice in practice spammers (in my experience) don't target + aliases. And if you think about the set of people who are likely to give money to spammers, the set of people using + aliases, and the fraction of + alias space that is occupied versus the fraction of non-+'aliased space that is occupied, the reason why becomes clear.
I've tried to use this system in the past, but found it to be a PITA. A lot of email systems won't let you use a +. The other gotcha I get is that they use the email address as a login token (Dropbox, for example). So you have to remember a) that you used a token and b) what it was. Any suggestions on approaching these?
Even though a service might desperately want to know my personal and/or business email address, and disguise that desire with the usual "Hey, just use your email address as your login username!", doesn't mean I have to comply. Unless they're prepared to accept responsibility to disclosure of my address, I feel perfectly happy taking the required measures to minimise those risks myself - no matter what they attempt to enforce with crappy email validation or ToS requirements.
(And, although Dropbox have finally arrived in their forum-thread ~24hrs late apologising for their "community moderators" calling their customers idiots, the responses from Nathan and especially Chris only strengthen my resolve to ignore any attempt by companies/services to gain access to my personal email addresses as part of their user databases.)
I always use the domain-name minus the top level for my token. So if my base email were "david@example.com", for "dropbox.com" it would be david+dropbox@example.com. That makes it very easy to figure out all the emails I might have (since I'm essentially just remembering an very simple algorithm to generate them). Very often sites have sucky email validation that rejects "+" so I configured my system to allow . and _ to also work the same way. That way I can choose david.dropbox@example.com or david_dropbox@example.com if the + doesn't work.
I once ran into the problem where a retail site forced me to sign up before paying, then refused to accept Paypal payment from any address except the one I signed up with. Of course my Paypal wasn't myemail+retailsite@gmail.com. Very annoying.
spammers can easily figure out they can just remove everything from the + sign, including the sign itself, and boom, they have my address without the specific alias.
Yahoo! Plus has a much better system where you use a different base email address plus the sub-address rather than your regular address.
For example, if my account is "somebody@gmail.com" then you use somebody+dropbox@gmail.com. But with yahoo, you pick an alternate, e.g. "huggybear", and use that instead (huggybear-dropbox@yahoo.com). That way if a spammer seems the sub-addressed account, they can't send email to huggybear@yahoo.com unless they want to end up on Yahoo's blacklist.
I've had a great deal more success with Yahoo's sub-addressing than Google's.
I should clarify: with Yahoo plus you only create one base for all your sub-addresses, not a new base for every sub-address.
So in my earlier example, if you wanted to sub-address ebay, amazon and hackernews you'd have huggybear-ebay@, huggybear-amazon@ and huggybear-hn@.
The big deal is that huggybear@ != someone@ and sending to huggybear@ won't reach someone@ and likely earns you a place on their blacklist (or some points towards ending up there).
The initial responses by moderators were fine and correct. They met the complaint with skepticism.
The fact that the guys email was blah.dropbox@blah.com meant it was a possibility that another site had been compromised and the email matched a keyword filter which allowed it to be easily guessed.
Its like passwords. MyPASSW0rDdropbox. If this is leaked it is fairly likely someone may try.. MyPASSW0rDfacebook.
They failed a bit further on. One obviously misread the thread and made a comment which isn't really acceptable.
Generally though it is the typical user forum thread. User repeatedly hammers the moderator with the same question. The user cannot elaborate. The moderator can only speculate due to lack of information. User doesn't find moderator answer acceptable, provides no further information and asks the same question.. both sides get annoyed.
It seems like the spam is to do with the data that Dropbox previously lost. An answer which a moderator actually provided.
We’ve been looking into these spam reports and take them seriously. Back in July we reported that certain user email addresses had leaked and some users had received spam as a result. At this time, we have not seen anything to suggest this is a new issue, but remain vigilant given the recent wave of security incidents at other tech companies. If you’ve received spam to an email account you only use for Dropbox, please send the message (including full headers) to support-security@dropbox.com to help our ongoing investigation.
Separately, we want to apologize for some of the dismissive responses from our volunteer moderators - since they aren’t employed by Dropbox, they don’t have visibility into issues like this. We want you to know that we've taken these reports seriously and began our investigation immediately.
probably the handle the majority of easy questions they must get. personally i give dropbox way more credit than the original poster. he comes across as argumentative instead of problem solving, that doesn't help a damn.
if he has suddenly lost faith in dropbox, there are other services that are cheaper, like box.
I'm just relieved that they realized the moderator[s] were being dismissive. I'm not sure that it's a new breach, but it does look like something is going on...
I'm surprised (bordering on disappointed) that the initial response by the moderator Chris didn't trigger a Dropbox employee response almost immediately. Even given worst-case timing I'd expect a first thing next working day response in 16 hours - but for a potentially serious security related problem like this I really expected to see an immediate "Hey, thanks for the report - we're looking into this right now, can I contact you off-forum to get more details." from a Dropbox employee - preferably with an obviously security related job title.
I fully understand why Dropbox can't afford/justify providing high priority customer support to their free-tier customer base, but ignoring possible security breaches reported from the free-tier seems foolish, and allowing your crowd-sourced forum-based-customer-support to mishandle it like this is really sad.
If you're an engineer, HN. If you're responsible for keeping users happy, the support site. But as usual, it seems the only people employed at Dropbox responsible for keeping users happy is the damage control department.
That's a very naive response. You cannot expect a community of DropBox's size to be actively monitored by paid employee's in a manner like a public forum.
While I can't speak for Dropbox and this specific case, we had angry customers like this two or three years ago.
Obviously we were very concerned, and spent days poring over server logs and trying to figure out where the breach was.
Turns out the service we used for newsletters (icontact) had been hacked. They never emailed to let us know. (They had a blog post up for a few days, then removed it, the slimy bastards!)
Since then we've used MailChimp, and had no problems.
We lost a lot of trust with customers since we had a kind of low-rent image to start with (discount software bundles). The worst part was they never really owned up to it - the blog post just said they were "investigating it". They never followed up, then they redesigned their site and the blog post mysteriously disappeared. Assholes.
I just checked the spam folder of a gmail account I used for dropbox. Throughout the years I'd ocasionally (maybe once every two months or so) check the spam folder merely out of curiosity, but it was practically always empty.
Perhaps this is just a huge coincidence but I see three spam emails sent today plus another two sent this week. Some of them have cc recipients which seem legit addresses of other people, but I can't identify them. I never used Zendesk by the way.
Edit: here are the senders, in case it helps: no-reply@adsl.hu, no-reply@velkommenhit.no, no-reply@wdl.fr, no-reply@tataidc.co.in, no-reply@variationfm.com. Though it looks like these addresses may have been spoofed... the sender name is "{%FROM_NAME%}" in all of them.
Edit 2: It turns out Groupon Germany (former citydeal.de), which I checked out once with the same address, is responsible from what I can gather (link in german, but everything matches, company has yet to say anything): http://hukd.mydealz.de/diverses/groupon-verkauft-kundendaten...
Whoa - yeah my spam folder has two sent to "dropbox.com@<mydomain>.com"
From ".Вишняков@direct.nacha.org" <kohinoorwm87@lifesep.com> and ".Белов@fdic.gov" <runoffiz@smarterbythemonth.com> with subjects of "Declined Direct Deposit payment" and "Update of the security software is required!"
I do get lots of "random" spam sent to addresses like "fcbb3a43@<mydomain>.com" but I can't believe the moderators really think that a "random" guess would land on "<domain>.com@<mydomain>.com" sigh
Brutal customer service! Especially since a user is giving you a heads up about a possible breach and leakage of their personal information. I can fathom these types of replies if this was behind closed doors, but when you have an open forum like this, you are asking for trouble with snotty replies.
This forum should be a PR beacon for awesome customer support!
I also give out a separate email address to every service I sign up for. So far geico, mint, and dyndns have lost or sold my email address. I haven't gotten any spam on my dropbox account, but I've only had an account since 2012-10-02.
I don't run any spam filtering, at all, and my email box is the catchall for my domain. These aren't just lucky guesses.
Since the last two weeks, I have been getting 5-6 spam and phishing emails to my unique dropbox email address, so they must definitively have a leak on their hands. Found various reports on twitter, too.
I've also seen similar leaks from linkedin (obvious, since they acknowledged their hack), everydns, the nokia development forums (another obvious one that was acknowledged as compromised), namecheap.com and uneetee.com.
The way it is worded, it seems like your e-mail may be used by Intuit for promotion or by third-parties bound by the same privacy policies, but certainly not sold for spam.
> [...] it seems like your e-mail may be used by Intuit for promotion or by third-parties bound by the same privacy policies, but certainly not sold for spam
Same difference in my book. If you are not the original entity that I supplied my address to, and I get email from some 3rd party, that's SPAM. Sure, you could argue that it's in the T&C and that I "agreed" to it, but it's still SPAM the way I see it. And since it's a 3rd party, then that'd mean my information was sold (or otherwise bartered/traded).
For me there is a clear different between "Hey! You use Mint, we thought you'd like [finance product X] Try it free!" and "Your paypal account has been compromised, log here to reset your password : www.paypalscam.com/reset"
What's surprising about it? I've been receiving "ACTION REQUIRED" emails from them for years that do not actually require action, I receive them simply because I haven't logged in. Mint isn't as different from any of the other unsurprising email-leakers GP mentions as their reputation might otherwise lead one to believe.
I've been meaning to send in a complaint, but they should really have some canary addresses in there to catch this. Of interest, the mint spam is a lot more varied than the geico spam. The geico address gets nothing but Canadian Pharmacy Viagra spam.
From the linked page:
"I just got spammed this morning via my dropbox@... custom email address. cc'd on the spam were two other email addresses which belong to the two dropbox accounts that I share folders with. There is no way this was a random spammer guessing addresses as some of the mods are suggesting."
Seems highly unlikely that the situation this person described would result from anything other than dropbox being compromised in some way.
Dropbox may or may not be "at fault", but they've certainly got a problem. Even if the root cause turns out to be a common rootkit/trojan/botnet has started extracting and reporting email addresses from Dropbox clients on exploited customer machines, that's still a problem for Dropbox (and their customers) even though few people would call Dropbox "at fault" in that circumstance.
And, the mods there held on to the "it must be your fault, probably just an easily guessable email address + random bad luck" line _way_ past the point of credibility.
If you mean they should sort out their forum moderation policies then I agree.
If you mean that this must be a technical problem on their part then I disagree. A 3rd party submitting their address book to a Friend Finder or similar tool would not be the responsibility of DropBox.
We both agree on two points, they need to do something about their support forum, and they don't definitely have a technical problem with their site/code/security.
They do seem to have a customer expectation and privacy problem though. If, as described by enough forum poster for it not to be a coincidence, email accounts created just for Dropbox's service and which are not trivially guessable are getting spammed - then Dropbox has somehow leaked customer data that customers had expectations of being private. If that were me, I'd consider myself to "certainly have a problem" - whether that problem is "my user database just got exposed via an SQLi attack", or "my contract with my newsletter emailing partner or customer support software service wasn't well thought through enough and they've used my clients email addresses without my/their permission".
While I agree that a 3rd party (or even a 3rd party app) uploading their addressbook is beyond Dropbox's control - that doesn't seem likely to be the cause from my reading of the first few pages of that forum thread this morning - I doubt the sort of person who creates "username.dropbox@example.com" style email addresses for Dropbox is likely to then add that address into a contact list where Facebook or Instagram style contact-mining apps are likely to find them.
It'll be interesting to see this as it pans out - I'm reasonably sure Dropbox or one of their partners (I'd put a small wager on Zendesk) or some malware targeting their client-app; is "leaking" username/emails.
This is not entirely true. A very large percentage of spam (70-90%) is stopped at or before the banner, at a layer he probably doesn't control (unless he runs his entire email infrastructure).
I do run my entire email infrastructure, in this case. During the time period where a lot of these spam messages were received, it was directly hosted on a enterprise fiber line, on its own IP address, which I wouldn't imagine was doing any sort of filtering.
I could be wrong and it's possible that some filtering was happening on the ISPs side, but you'd think that of the thousands of spams that get through, there would be some that looked like guesses.
There would have been unlucky guesses as well as lucky guesses. It's incredibly unlikely that the first guess was correct, and that there were no guesses before or after that.
Reading that thread was painful. I always use custom one-off email addresses for services I sign-up for and. When I've attempted to report disclosure of my email address I'm almost always met with major skepticism. It's maddening.
I used to enjoy the reactions I'd get from store clerks and telephone reps when I give them my email address. "Oh, how you have an email address with our company name in it?" In recent years the reactions have turned kinda hostile, "What is your connection with our company?" and once "You can't have our company name in your email address." I gave up fighting and now I just use random strings.
Wow. That sounded a lot like I wrote it. Sounds like the same story line I've experienced. :)
If I'm at Toys R Us or something, I'll just be like uh... "tru25@<mydomain>.com" so they don't question me. (Also, I chose Toys R Us as an example because when I went to sign up for a loyalty program, and they typed in "toysrus@<mydomain>.com" their cash register black screened and rebooted... !)
Acme Inc's employees being suspicious of people with "acme" in their email address is probably, on the whole, a good thing. It smells like a phishing scam to people who don't know about throwaways.
I recently had to sit through a customer rep read a 32 character long alphanumspecial email address out to me for "security reasons". Bet she was glad I didn't use usicode.
That sounds like a fun idea for an app/service. You provide it with your base email address or custom domain and it generates a couple random words and keeps track of what service you used it to sign up for.
I spent a little time thinking about this concept and how it relates to just having dummy account you control, for giving to services you don't fully trust.
As long as you use a secure password, and you don't use the same one. I don't see alot of difference, but the ability to sandbox each service to a list of email accounts, so that the attacker never knows the master account, would be an extra layer of security.
Utility exists here. I just don't think there's enough utility to justify the work.
I use something similar already. I've a domain that is used purely for my email. Normal addresses like webmaster@ are rejected. A script on the server takes the domain I am registering for a service on (eg "google.com"), generates an random-looking but deterministic address, and creates an alias for that address to my real inbox.
End result is that everyone gets a unique email that can't be guessed, I can nuke an address as soon as it starts sending me spam (often) and my true inbox is typically completely clean.
I initially made the mistake of trusting my bank and utility billing systems with my real address. Turns out my power company had their database compromised, and when I called to inform them they refused to believe me (like Dropbox).
A good five years ago I got two phishing emails to two unique addresses that I had used to contact a local bank. They also refused to believe me, and it was basically my fault for not securing my computer. Somehow.
It is actually possible that you violate their tos by doing so - it could be construed as falsely implying some representation of the company. A stretch to any sane person, though any typical terms document contains miles and miles of cya.
Yikes. What a terrible idea to place your brand's reputation in the hands of people that don't hesitate to make assumptions about your customers' intelligence. Adobe allows certain users to speak as "Pros" on their help boards based on their past helpfulness, which has gotten out of hand before, but they certainly make the distinction between staff and user in the nameplate so people know not to associate them with the company itself.
Is the point of volunteering to put it on your résumé for future employment opportunities in customer service?
Wait, what? Volunteering in general or even open source or community software projects makes plenty of sense, but why the hell would anyone volunteer for a private for-profit like Dropbox?
For all intents and purposes, they represent Dropbox. It is poor choice of Dropbox to let themselves be represented by unqualified, unvetted people and then distance themselves from it "because they are not getting paid". They work for Dropbox, they just do it for free.
I call this "Google effect". Some companies started to think they can have crappy customer support because Google's support is crappy and Google is doing great. Actually Google is doing great despite their crappy support.
Amazon is even worse, especially for their sellers. They really don't care about their sellers at all and use bots/autoresponders for virtually all support.
Is that actually the case? I'm a Amazon Prime user (I mention that because I buy almost everything from Amazon :) and I whenever I got in touch with Amazon (Germany) the support was top notch and my issue was resolved very quickly. I am just a buyer though.
Amazon customer service for their buyers is pretty great, in my experience. I broke my Kindle (stepped on it) and they sent me a brand new one, no questions asked. I've heard stories that their customer service for seller is terrible, however.
Damn thats weak. Moderator "Andy Y." doesn't seem to grasp wth is going on at all and the rest of the moderators blatantly ignore ~5 people reporting unique email addresses being leaked.
Why do people continue to upload and trust their data to this company? I closed my Dropbox account back in 2011 when they had that 'bug' that made passwords for any account optional for four hours.
Since then they have had more security problems/breaches, and admitted to user info being stolen.
Today's news isn't anything concrete... but their moderators were jerks, which makes the company look bad whether they are employees or not.
There is no Google Drive linux client yet =/. What about the others? I use Dropbox on Windows, Linux, Mac, Android and I have even used it on a personal server. I have not seen anything that can replace it.
Sean, who also posted in the forums on page two and apologised for the moderator's behavior, contacted me by e-mail to send him the spam e-mails that I received. It looks like they're taking it seriously now :) Needless to say, I provided all details that I have (connection log, full mail source).
For those who are curious, this is what I received:
Hi Luc,
My name is Sean, I work on the User Security team at Dropbox. We'd like to look into the issue you repoted on the forums. If possible can you forward the emails in question directly to me (xxxx@dropbox.com).
This is most definitely not a coincidence. I can tell because this totally explains the spam in the past few days to my school e-mail address. I too use an e-mail address unique for everything, so I thought school leaked it, but this is the only plausible alternative (had to use the school e-mail address on Dropbox for the Space Race a while ago).
Aha, that explains it! I've been contacting school about my e-mail address being spammed; I was certain I never publicly posted it. I used my school's e-mail address for the Dropbox Space Race a while ago.
There are several reasons you could be getting spam that aren't related to Dropbox. Without knowing your address, it's possible that the spammers randomly guessed it. Another possibility is that a friend's email or Facebook account was compromised, exposing your email address. (I get a disturbing amount of spam this way.) The cases described in the Dropbox forum are more convincing because the addresses were used only for Dropbox and don't seem to be guessable.
No, that is not possible. I use thousands of e-mail addresses, and only the ones that have dropbox accounts (I confirmed by sending myself password resets) are receiving spam.
> I'm not in any way excusing Db, but uncritically blaming them without other possible scenarios seems just as asinine.
Except you're wrong here - they've admitted they leaked all these unique email addresses, and it isn't actually some cataclysmic combination of coincidences that all these users were compromised. As would otherwise need to be the case.
They aren't letting me post to the forums, but I can also report receiving spam, but only on an address I formerly used with this account, not my latest address.
I use a catchall and give different email addresses to everyone. I've received 3 spam emails in the past month to my dropbox account, but they aren't the only ones with problems, for example the following are the number of spams for various sites:
* 2 emails Foursquare
* 6 emails Groupon
* 6 emails Rackspace
* 25+ emails Ticketmaster
* 50+ Absolute Radio (UK Radio station)
Absolute Radio was hacked, not sure about the others.
The Moderator thinks that the user who created that post and his supporters are idiots. How would someone get to know that a user has an email lala.dropbox@xyz.com, if the user hasn't used it anywhere else?
I just did the same thing. Two phishing scams sent to my unique Dropbox address, including one from the nacha.org scam mentioned in the original thread.
I suspect this is a MUCH larger problem than people realize and not Dropbox's fault.
I've noticed in the past few months I've been getting spam to a lot of site specific emails I've used under my Gmail catch all. It's as if a spammer had access to all email addresses I've used for incoming mail. I've talked with friends and found some have had the same problem.
So where are spammers getting the email addresses we've received email from?
1. There's a vulnerability in Gmail / Google Contacts.
2. Some widely used app I've allowed to access my email has been hacked or has been selling email addresses.
3. An Android app that requires access to my email is compromised, either intentionally or unintentionally.
The least likely one I haven't mentioned is that many independent companies have sold my emails which I find very unlikely.
If you have the ability to guarantee that any device is malware free, you could make a lot of money in the security industry, as no one else in the world has such a power.
The part that made me laugh about all of this is the fact the moderators are saying that spammers most likely guessed all of the unique email addresses people are complaining have been spammed that are only used for Dropbox. That doesn't sound plausible at all, especially considering it's multiple people complaining of being spammed here.
Dropbox's customer service has really gone downhill, what happened?
Dropbox should rename mods 'Support Volunteers' or something, just so users know what kind of help they're getting.
I don't understand why the mods were so quick to defend DB, especially since they don't appear to have access to any privileged info. Dropbox has over 200 employees now and whatever precautions they take an occasional slip-up seems entirely possible.
Everyone who received the spam should pastebin the emails along with the header and share them for comparison. If those spam messages are found to be similar then it can be pinpointed that they all have originated from the same person/group and it was no usual hit & miss technique by the spammers which the moderator is contemplating about.
This post in the forum thread may be on to something:
"I also have a unique dropbox email address, it was compromised on 2/6, but I tracked it down to a friends system that was hacked. I had shared a dropbox folder with them, they got the email from my dropbox address. Virus on their system collected my dropbox email from their system."
You know, it's funny because i got a very clever Pay Pal phishing e-mail this morning, linking to a PHP script hosted on renault-astrakhan.ru
What's worse is that i sent invitations to dropbox time ago to people that i have to now contact and say "Please be aware of this phishing e-mail disguised as a Pay Pal e-mail."
+1 for an alternative service, to be honest. Dropbox is very well done, but this is a good reason to stop using their service if they can't secure their clients' information.
It would greatly benefit them if they found the root of the problem, and reported if it were indeed an issue with them or one of the clients for dropbox.
What about the possibility that end-users' computers are breached?
- User/pass is saved in the 'Remembered password' area of browser (this is decodable by malware)
- Email is screen-scraped by malware
- Email is sniffed during login at a wifi hotspot (Password is encrypted, user/email may not be)
- 3rd party apps that are linked to your dropbox account
I'm not saying that this wasn't caused by the database breach, but there are a TON of reasons that this could have happened. Some on Dropbox, some on the end users.
Don't expect your email address to stay private. That's what passwords are for.
Yeah, it's tough to really know who leaked. Alice and Bob both know secret S, and each can blame the other if S is leaked, but neither of them really knows who did it.
There have been some research projects where unique and unguessable passwords were made in laboratory conditions and securely given to sites to see if they managed to leak. I trust those a lot more because they often lock up the email addresses and never use them. From what I recall some big companies did give out addresses they promised not to, but that's not a blanket condemnation of all businesses.
Yeah, but if that happened to a person who habitually used sub-addressing it would be pretty obvious. They would likely have received the same spam many times from many of their sub-addressed emails. People who take the trouble to set this up, don't use it in only one place.
Fortunately, GMail handles almost all of my spam, so this stuff is a non-event for me. But I don't like that they may have been a security breach. Thanks to whomever HN'd this so it would get attention.
Postfix’s reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, and reject_unknown_helo_hostname really work wonders for me – but then it is only a small server with 1.5 users and a total of about 300 delivery attempts a day (85% rejected, 5% later classified as spam, 10% actual email).
Is that dropbox@domain.com email listed on any of your phone contacts? Ever had a virus on a machine that has sent or received an email from that account? How many people know that account exists? Only one of them needs to have a careless attitude about permissions.
See, the problem with that email address (dropbox@example.com) is that it tells me that I can try amazon@example.com, paypal@example.com. So, if I get access to an email for somerandomsite@example.com, trying these others is fairly trivial. It takes no time to suddenly generate an effective list of emails to try.
The point being, using a pattern is easy to discover. Even if that pattern is a random set of characters.
Would spammers email this? Yes. Why? Because they bought an email list that someone generated using this method.
Not saying this is what happened here, but if you've entered in emails on a site, you open yourself up.
Nope. I didn't use dropbox@mydomain but another string that was not guessable.
And how is a random pattern easy to discover? Quite coincidental that of the hundreds of addresses, just the three that are used for Dropbox are receiving spam in the past few days.
The spam I'm receiving is the kind of spam that you attempt to send to a non-tech audience (obvious phishing is obvious). The addresses were harvested, not carefully picked by looking at other addresses I used with my domain. The word "dropbox" is not even in the spammed addresses; they were school addresses. I never publicly mentioned I even went to that school. It are also three variants on the school's name, incredible that they picked just these three to spam.
I checked my e-mail accout that I used for dropbox and There is a spam mail coming from ...@direct.nacha.org which is the same domain which one of the customer in forum received. So it seems they are right, this is not a random guess.
Why is Dropbox letting volunteer moderators represent them so poorly? Dropbox is a grown up company now, train and pay a couple people to moderate, or at least make it more clear they're volunteers not employees of the company.
This dropbox forum is exploding. Fascinating to watch.
As an aside, who knew so many people had "dropbox only" email accounts. One guy with 10 random letters/numbers he uses only for dropbox. Wow. Is this a thing?
While the <email>+unique@domain trick is easily avoided by spammers (strip the +unique), an alternative (and likely what the user with the 10digit random email is using) is to use a personal domain name for a single user's email.
The mailserver is configured to push <anything>@mydomain.com to a catch-all mailbox, and the unique TO: lines make for exceptionally flexible filtering/easy identification when a company "loses" your email address.
While this is a thing, it's probably only common amongst folks who carry scars from years of adminning mailservers :)
Email standard lets you use a random string in the adress if you type + after your "name".. For examble you have adress hehe.haha@gmail.com, and now you can give dropbox hehe.haha+dropbox@gmail.com and still get the mails that dropbox sends to the same hehe.haha@gmail.com box while "send to" still remains hehe.haha+dropbox@gmail.com.
This is the best way (that I know) to find out where your adress was leaked.
What about a possible leak from a 3rd party? Did you, by chance, use Mailbox? Do third-party apps (1Password, etc.) that sync using Dropbox get access to your email address?
I have to say, accusing Dropbox of leaking in the title of the thread, with out any actual basis, since it is possible that the user cocked up somewhere, is not the best way to get polite support. Yes the mods could have been a lot more professional, but I can see why their backs were up and why they would be defensive.
On the other hand, too often as a user I feel I have to walk on egg shells to avoid upsetting some over sensitive petal of a forum mod. One misunderstood word and you are banned for life, with no appeal what so ever.
All of which leads me to think there should be some third party arbitration for this sort of thing.
No, it's perfectly fine to accuse in this case. It's very unlikely for something like that to be guessed and the dropbox moderators should understand how email works or else they shouldn't be responding.
All of which leads me to think there should be some third party arbitration for this sort of thing.
There are companies that do this - in the US, we have the Better Business Bureau (BBB) and they handle this sort of thing for offline companies. The problem with this approach is one of cost - if I want my company to appear "In Good Standing" with the BBB, I have to pay $800 per year regardless of whether anyone files a complaint or praise with my company. Ouch. Good luck getting that to work on the web.
Slightly off-topic, but what kind of forum software does Dropbox use? I like the clean look and the use of the blue background for the Dropbox employee.
That's why client-side encryption is useful - even with the company (Dropbox) not leaking/selling their users' data on purpose, it is easy to inadvertently leak it.
Proper client-side encryption, while often not appropriate in critical environments, is useful to protect against this type of situations.
I'm all for busting some balls, especially if we're talking Dropbox. But shit like this happens all the time, and it's not like by busting some balls here we're going to improve the situation broadly speaking.
It's really absurd to expect that your information will actually be safeguarded by some entity that isn't you. As soon as you give any data to anyone, it's gone. You should pretty much assume it's public and get on with your life. Did ya'll catch that blog post up yesterday from the kid who deleted the USERS table at his job, because he was developing against a production database and running queries against it by hand? Experience has led me to believe that's the situation at like all things, everywhere, all the time. Ass clowns emailing around spreadsheets with user data; people getting malware installed on their Windows shit and entire infrastructure's data being compromised. It's a joke. Let's just always remember that while we're busting balls. But if you value your data, don't give it to anybody, ever.
Hi,
Thank you for your support request. Recently, we have been receiving a high volume of support requests and haven't been able to get back to you within a reasonable amount of time.
The volume of inquiries we receive on a daily basis prevents us from responding to all requests. Although requests from Pro and Teams users will be given priority assistance, we will do our best to get back to other inquiries when possible. If you are not a Pro or Teams user and you're looking to resolve your issue before we can respond, you may want to check out:
https://www.dropbox.com/help/
If you need to restore a large number of files and are unable to do so, please visit the following instructions to help us speed up the restoration for you:
http://db.tt/2QPImJ3g
If you are still experiencing problems, please reply to this message. We will try our best to get back to you, however we cannot guarantee a response. We're very sorry for the inconvenience.
Regards, The Dropbox Support Team