I use DropBox a lot. I also use Gmail for one of my email addresses. The problem, as you are likely to be aware, is that people apply the following forum when sending meals: “name + @gmail.com = person I am thinking of”. Consequently, I get emails for people who have my name in my Gmail account. Sometimes, other people give the gmail address out when registering for services. So, for example, I’ve got a service record for someone’s because someone sharing my name thought that “my name + @gmail.com = them”. Not helped by Gmail ignoring the “.” character in the user name.

Usually, I can sort these things out. A quick email solves the problem. But not this time.

Enter DropBox, and HTC phone and an offer for extra space. Someone with my name took advantage of this offer. I know this because I got a couple of emails from DropBox to my Gmail account. The first one inviting me to download DropBox to my computer. This I ignored because I thought it may be some Phishing attempt (though, Gmail is pretty good ant filtering this kind of message out). The next day, I got another email - this time inviting me to claim my 23GB of space. So I visited the DropBox site, and found that, yes, there is someone using an account associated with an email address that resolves to my Gmail address.

So, what to do? My first thoughts (helped by some suggestions on Twitter) was to drop some files that say things like “I’m watching you”. Funny, may scare someone, but not helpful. So instead, what I did was to drop a text file explaining the situation, and detailing what they should do. DropBox allows you to change your email address, so they can do that. To do this, I had to change the password. As I get all the email for that account, the “I forgot” thing works. So Password changed, and helpful text file uploaded. As DB uses OAuth, this will be transparent. The other user should se that file and, hopefully, act on it.

At this point, I’ll mention that at no stage did I get a “please verify your email address before you start using DropBox” type message. So the other me clearly hit a button, tapped in something he thought would work, and carried on.

To date, I’ve not seen any change in the account - I can still log in. All they have is their phone backups, and nothing else.

So, I did a search on DB’s site, and their forum has someone else detailing pretty much the same problem. Again, no authentication email. Someone is using his Gmail address for their account too.

I dropped a message to DropBox support, hoping that they could resolve the issue - either by contacting the user of the account, or by advising me on what to do. My concern is that any content uploaded to that account will be associated with me, and I don’t want that really.

I got a reply from DB support today. It was a boiler plate “we get loads of request and we can’t reply to them all, so here are some helpful links” reply, with nothing to address my situation.

Therefore, I think that if, after a month, nothing changes, I should be OK to wipe the account?

I think, fundamentally, this is a gmail problem not a dropbox problem.

Actually it's a problem that's caused by dropbox using something that isn't actually a form of identification (an email address) as if it was a form of identification.

As for Paul's dilemma, have you had the email address for a long time? Likely before the dropbox account was created? if so, I think you're well within your rights to clear it out, change the password and whoever used your email address to get themselves some extra dropbox space can do fly a kite. If this is a case of gmail allowing the re-use of email addresses (i.e. someone else had your email address first, registered a dropbox account against it then the email account lapsed and Google gave it to you at some later point) then Google deserve a slap but you should probably be a bit more polite.

Fundamentally, yes, but the problems with DropBox are:
a) No authentication when the account was opened - if there was, then it would have comer to me not the other person, so the account would not have continued
and
b) Nothing from DropBox on how to resolve this


I have had the Gmail address for a very long time - I got it when Gmail was only available by invite. I think it was 2004 - a very long time ago. That account has never lapsed - It’s been in use by me since that time.

So I’ll give it a few more days, and then delete the account. The only problem is that the other person may well re-register with the same email address again.

Then don't delete it. A password change request should go to your email address, right? So change the password and lock the account out. You get control, miscreant can't re-register using the same email address.

EDIT: Unless they use cookie/OAuth based access control, in which case they'll still get access even if you change the password. Hmm. worth a try anyway.

Leave one more polite note then change the password & lock out all the connected devices by revoking the oauth token

I think that’s what I’ll do. Seems a sensible approach.

A second note was left, but nothing happened. It did give full warning that the account would disabled this week. I’ve just changed the password (20 characters of random characters) and unlinked the phone and apps.

What I’ve not done is delete the account, so it won’t be registered using that email address again. I feel bad, but I have to watch my own back as clearly DropBox won’t.