Much of the spam appears to have been sent to users with their own domains who created a custom email address such as email@example.com to register for the Dropbox file-sharing service. This would suggest that the spammers may simply have been lucky. According to forum discussions, however, emails have also been received by people who have not used this easily guessable address format.
On the Dropbox forums, the company announced that it has asked its security team to investigate the incident, and has also called in outside experts. At present, it has found no evidence of unauthorized access to Dropbox accounts, but this could change as the investigation moves forward. The company has reassured users that a recent thirty minute web site outage had nothing to do with this incident.