We had the same problem at MacHeist (people got their specific macheist+ prefixes targeted with spam). Turned out it was our email provider iContact who were hacked. We weren't the only ones. They posted a non-committal blog post about "investigating the matter", which then mysteriously disappeared when they upgraded their blogging platform.
The hack made real damage to our reputation (the "software bundle" space has a poor reputation to begin with, and receiving spam confirmed people's expectations), and they wouldn't own up to it. Be careful with which third parties you entrust your users' email addresses with.
I use unique addresses, and periodically am on the reporting end of problems like this. Once I started getting the same spam from two unrelated companies at the same time, and they tracked it down to a common email marketing company that was where the actual breach occurred. Another time it turned out emails had been staged in a less secure system in preparation for sending email marketing. So it must be pretty common that a compromise doesn't actually mean the core product or database has been compromised.
For the record, I haven't received any spam to my Dropbox-only email account, which means they probably didn't get the WHOLE user database.
I once contacted bulksms.co.uk after I received some spam on an email address dedicated to their site only. They also identified the leak as being from a third party provider they used for mailshots. They promptly found a new provider.
Better luck than I've had. Topaz Labs just ignored me when I pointed out there'd been a breach (unique email address with their name in it); they lost a sale of an otherwise good software product.
Has anyone considered that the LinkedIn hack (6.5+ million accounts, with passwords run through a non-salted SHA-1) could be responsible for much of this?
I remember a lot of people having their Diablo 3 accounts hacked and their items stolen right around that time.
This seems possible. People usually use the same email and password for every accounts they create so all the hacker needs to do is to try the username and password on accounts on other sites.
Spam went to "unique email addresses for Dropbox".
So a compromised LinkedIn account wouldn't expose a user's unique Dropbox email address. There would be little to no reason to give LinkedIn a unique Dropbox email.
On the other hand, if you need to share your Dropbox email with other people in order to share private folders, or anything similar, then just compromising THEIR computer could expose your email address.
For what it's worth, I've been getting these "Euro Dice Exchange" spam messages in Canada as well. I believe the emails are being sent out sorted by domain name, as the email I received was addressed to my both my university e-mail (which I used to sign up for Dropbox) and several other university e-mail addresses.
This is definitely not from the LinkedIn hack. I don't have a LinkedIn account. Combined with the people who were receiving spam at Dropbox-specific emails, I don't see how it could be anything other than Dropbox.
What makes you think that the average user is better able to secure their own hosted system than a company with a dedicated team of security engineers can?
I'll suggest that fragmentation - not having a single point to find all user data would reduce the impact of a breach. Dropbox is a higher value target than John Doe. So hackers are probably less motivated. The user system itself may not be as secure, it may not need to be because a breach is isolated and an attacker would be less motivated.
Because of the honeypot effect. There is not much incentive for a hacker to hack an individual machine. he/she is better off targeting efforts towards sites like Dropbox. We saw the skydrive privacy breach yesterday. Before that we saw yahoo leak: http://www.readwriteweb.com/archives/yahoos-450-000-account-....
For instance, my employer IBM banned the use of dropbox in the company.
The hack made real damage to our reputation (the "software bundle" space has a poor reputation to begin with, and receiving spam confirmed people's expectations), and they wouldn't own up to it. Be careful with which third parties you entrust your users' email addresses with.