Entirely possible. The moderator's handling of this issue was pitifully bad but the assumption that Dropbox MUST be at fault here is ridiculous.

Dropbox may or may not be "at fault", but they've certainly got a problem. Even if the root cause turns out to be a common rootkit/trojan/botnet has started extracting and reporting email addresses from Dropbox clients on exploited customer machines, that's still a problem for Dropbox (and their customers) even though few people would call Dropbox "at fault" in that circumstance.

And, the mods there held on to the "it must be your fault, probably just an easily guessable email address + random bad luck" line _way_ past the point of credibility.

"they've certainly got a problem"

If you mean they should sort out their forum moderation policies then I agree.

If you mean that this must be a technical problem on their part then I disagree. A 3rd party submitting their address book to a Friend Finder or similar tool would not be the responsibility of DropBox.

We both agree on two points, they need to do something about their support forum, and they don't definitely have a technical problem with their site/code/security.

They do seem to have a customer expectation and privacy problem though. If, as described by enough forum poster for it not to be a coincidence, email accounts created just for Dropbox's service and which are not trivially guessable are getting spammed - then Dropbox has somehow leaked customer data that customers had expectations of being private. If that were me, I'd consider myself to "certainly have a problem" - whether that problem is "my user database just got exposed via an SQLi attack", or "my contract with my newsletter emailing partner or customer support software service wasn't well thought through enough and they've used my clients email addresses without my/their permission".

While I agree that a 3rd party (or even a 3rd party app) uploading their addressbook is beyond Dropbox's control - that doesn't seem likely to be the cause from my reading of the first few pages of that forum thread this morning - I doubt the sort of person who creates "username.dropbox@example.com" style email addresses for Dropbox is likely to then add that address into a contact list where Facebook or Instagram style contact-mining apps are likely to find them.

It'll be interesting to see this as it pans out - I'm reasonably sure Dropbox or one of their partners (I'd put a small wager on Zendesk) or some malware targeting their client-app; is "leaking" username/emails.

I think you're missing the perfectly plausible use case where the user has used the Dropbox send link feature.

Note that a third party will now have the second party's email address without Dropbox being in any way culpable.

It's possible that the feature was never used but it's hardly an obscure use case.