Wong v. Dropbox: a class action over the 2011 'any password' bug
2011
Days after Dropbox disclosed the June 2011 bug that briefly let anyone sign into any account with any password, a plaintiff filed a class action alleging privacy and consumer-protection violations; the case was terminated within four months.
What happened
On 19 June 2011 Dropbox disclosed an authentication bug that, for a window of about four hours, allowed any logged-in session to access any account without the correct password. Days later, on 22 June 2011, plaintiff Cristina Wong filed a putative class action against Dropbox in the U.S. District Court for the Northern District of California (Wong v. Dropbox, Inc., No. 4:11-cv-03092), before Judge Laurel Beeler.
The complaint alleged that the security lapse violated California's Unfair Competition Law, constituted an invasion of privacy, and amounted to negligence and breach of warranty, on behalf of affected Dropbox users. The case was terminated on 18 October 2011 — under four months after it was filed — but the specific disposition (whether by voluntary dismissal, an early settlement, or otherwise) is not confirmed in the accessible record, so no definitive outcome is asserted here beyond the early termination.
The suit is the litigation counterpart to the well-documented 2011 authentication bug, translating that security incident into a consumer lawsuit almost immediately.
Impact
Wong v. Dropbox shows how quickly a publicized security failure could become litigation, and it is an early data point in the pattern of consumer suits following Dropbox security incidents — a pattern that recurs through the 2012 credential theft and the 2024 Dropbox Sign breach. Its rapid termination, however, reflects the difficulty plaintiffs faced in proving concrete harm from a short-lived bug.