Early Thursday, Dropbox user Forrest F made an exceptional claim on Dropbox's support forums: "You guys leaked or gave out my email. Why?"

Forrest, it turns out, had employed a trick common among cautious internet users — he used a unique variation of his email address, otherwise known as an alias, whenever he signed up for a new service. That way, the thinking goes, he could see if any companies he trusted with his information were sharing it. If spam arrived in his inbox, he could see that it was sent to an alias, and track it back to its source. Recently, he started getting spam — and it came from his Dropbox address.

A moderater quickly addressed the claim, saying that Forrest likely hadn't been hacked. "A lot of spammers try hit-and-miss techniques," he wrote, "and you're likely just a random victim rather than a whole mass leak of tons of DB users' emails."

Forrest didn't buy it: "I have several emails set up with several sites some for even a few years," he said. "But someone, somehow, figured out just this one. Amazing."

"Right," the moderator said, "That's essentially what I was saying. It was a random guess. Dropbox doesn't give away emails like this."

But then, what started as a single user complain quickly snowballed. Complaints came rolling in, and many confirmed that email addresses used only with Dropbox had started receiving spam: