Breach & Security-Incident Tracker

An attacker compromised the production environment of Dropbox Sign (formerly HelloSign), exposing customer emails, usernames, phone numbers, hashed passwords, and authentication secrets including API keys, OAuth tokens, and MFA data.

An attacker used a Dropbox employee's reused password to steal a file containing roughly 68 million users' email addresses and hashed passwords — a theft whose full scale only became public in 2016.

For nearly four hours on 19 June 2011, a code update left Dropbox accounts accessible with any password at all — anyone could sign in to any account by typing anything.

Following the 2024 Dropbox Sign breach, affected users filed proposed class-action lawsuits accusing Dropbox of failing to secure their data and of notifying victims too slowly. Dropbox has contested the claims, arguing the exposed data poses no identity-theft risk.

After Dropbox disclosed the April 2024 Dropbox Sign breach, affected users filed proposed class actions in federal court alleging Dropbox negligently failed to protect their data and did not give prompt, adequate notice; the claims are allegations and the consolidated litigation followed in the Northern District of California.

A phishing campaign impersonating the CI provider CircleCI tricked Dropbox employees into handing over credentials and 2FA codes, letting attackers copy 130 of Dropbox's private source-code repositories.

The 2018 CLOUD Act amended US law so that a US-based provider like Dropbox can be compelled to produce a user's data regardless of which country the data is physically stored in — meaning a US warrant can reach an overseas user's files.

When the full 2012 credential dump resurfaced in 2016, Dropbox forced a password reset on every user who had signed up before mid-2012 and never changed their password — a sweeping operational response that, for many, was the first sign anything was wrong.

At Black Hat USA 2015, Imperva researchers showed that stealing a single synchronization token let an attacker take over a Dropbox account and read its files indefinitely — and that, in Dropbox's case, changing the password did not revoke the stolen token.

Researchers found that Dropbox's shared links to supposedly private documents could leak to third parties — exposed through browser referer headers and, in some cases, surfacing in Google search results — revealing tax returns, bank records, and business plans.

After the 2013 PRISM disclosures named major US tech firms, Dropbox spent the following years documenting — through its own reports and advocacy — that it sits inside the same surveillance ecosystem: subject to NSLs, FISA orders and rising law-enforcement demands, with only banded, gagged disclosure permitted.

Dropbox is subject to National Security Letters and FISA orders that arrive with gag provisions barring it from disclosing even that it received them; the most it can publish is a band such as '0–249' national-security requests.

Dropbox has published a biannual Transparency Report since 2012, and its own figures document a steady, long-run climb in government and law-enforcement demands for user data — including reporting periods where US legal-process requests jumped by roughly a third.

Researcher Derek Newton showed that Dropbox's desktop client stored an unencrypted authentication token (host_id) in a local config.db file — copy that one value to another machine and you owned the victim's account, with no password and no notification.

Security researcher Christopher Soghoian filed a complaint with the U.S. Federal Trade Commission alleging that Dropbox made deceptive claims about its encryption, because Dropbox employees could in fact access users' files.

Across multiple years, attackers have built convincing fake Dropbox login pages — reached via PDF lures and redirect chains through trusted cloud storage — to harvest victims' real business email and Dropbox credentials.

A succession of episodes — the 2023 OpenAI default-on toggle, the 2024 Dropbox Sign breach and litigation, two rounds of mass layoffs, declining users, and serial product shutdowns — has coalesced into a durable narrative that Dropbox is a fading incumbent whose trust and relevance are eroding.

Beyond credential phishing, attackers have used Dropbox links to deliver malware — distributing remote-access trojans such as AsyncRAT through Dropbox-hosted archives and shortcut files that abuse the service's trusted reputation to get past defenses.

Dropbox runs industry hash-matching (PhotoDNA, NCMEC and IWF hash lists) and an unhashed-content classifier across files added to or shared on the service, reporting matches to NCMEC — a legitimate child-safety system that is also, by design, a server-side scan of users' private content.

Check Point recorded thousands of attacks in which criminals hosted credential-harvesting documents on Dropbox itself, so the phishing emails came genuinely from [email protected] and sailed past filters that trust the Dropbox domain.

ESET and Avast documented the Worok espionage group's 'DropBoxControl' backdoor, which abused the Dropbox API as its entire command-and-control channel — reading commands from, and uploading stolen data to, ordinary files in a Dropbox account.

The DropSmack proof-of-concept warned that synced Dropbox folders could be a covert C2 and exfiltration channel; multiple real malware families — including BoxCaon, Crutch and tooling used by Kimsuky — went on to abuse Dropbox folders and the Dropbox API exactly that way.

Dropbox's own Transparency Report shows that a large share of the search warrants it receives arrive with indefinite non-disclosure orders, leaving the company unable to ever notify those users that the government took their data.

European courts and regulators treat data held by US providers as inherently reachable by US surveillance under FISA Section 702 and the CLOUD Act — a structural concern that applies to any US-controlled cloud service, including Dropbox, regardless of where servers sit.

Dropbox's OAuth model historically let third-party apps request full account access, and tokens persist until revoked — so a single over-permissioned or compromised integration can read, write or delete a user's entire Dropbox without any further prompt.

Researchers revealed that Dropbox's Mac client used a user's admin password to directly edit macOS's protected TCC.db permissions database, inserting itself into the Accessibility list — a privacy/trust list that grants near-total control over the machine — without a clear, informed prompt.

Dropbox runs every uploaded image and video through hash-matching systems such as Microsoft's PhotoDNA to detect known child sexual abuse material — automated scanning of users' private files that the company initially refused to explain.

On 10–11 January 2014 Dropbox went dark for roughly two hours after an internal maintenance error, while a group calling itself 1775 Sec falsely claimed to have breached it — a hoax that briefly stoked panic about user data.

Hackers claimed to have stolen nearly 7 million Dropbox logins, posted batches on Pastebin, and demanded Bitcoin — but the credentials came from other breached services, not Dropbox itself.

Q-CERT researchers found that because Dropbox did not verify email addresses at signup, an attacker who already had a victim's password could register a near-duplicate email, enable 2FA on it, and use the resulting emergency code to switch off the real account's two-step verification.

At Black Hat Europe 2013, a researcher demonstrated 'DropSmack,' a technique that abused Dropbox sync to slip malware past corporate firewalls and quietly exfiltrate company files.

At USENIX WOOT 2013, Dhiru Kholia and Przemyslaw Wegrzyn unpacked and decompiled Dropbox's obfuscated-Python desktop client, demonstrated SSL interception via code injection, and described a way to hijack accounts and bypass two-factor authentication.

The 2001 USA PATRIOT Act expanded US government access to records held by domestic companies and became the original reason foreign organizations distrusted storing data with US cloud providers — a concern that still attaches to Dropbox today.

Under the 1986 Stored Communications Act, US law enforcement can obtain a Dropbox user's basic subscriber records with a subpoena, account usage records with a court order, and the actual contents of their files with a search warrant — a tiered framework Dropbox publishes in its own guidelines.

As thousands of intercepted Snapchat photos leaked in the so-called 'Snappening,' early reports tied Dropbox to the incident — but Dropbox flatly denied any involvement, and the actual leaks came from third-party apps and unrelated breaches, not Dropbox's systems.

Because gag orders bar providers from confirming secret national-security demands, some companies post a 'warrant canary' — a standing statement that disappears if such a demand arrives. Dropbox relies on banded transparency reporting rather than a canary, leaving the most sensitive demands invisible to users.

Days after Dropbox disclosed the June 2011 bug that briefly let anyone sign into any account with any password, a plaintiff filed a class action alleging privacy and consumer-protection violations; the case was terminated within four months.