The archive

Issues Database

Every documented issue, searchable and filterable by category, year, and keyword. Toggle between grid and timeline views, and export the filtered set to CSV.

May 20143 sources

The 2014 shared-link leak: 'private' documents exposed via referer headers and search

Researchers found that Dropbox's shared links to supposedly private documents could leak to third parties — exposed through browser referer headers and, in some cases, surfacing in Google search results — revealing tax returns, bank records, and business plans.

Security Incidents & Data BreachesPrivacy & Encryption Concerns

Read documentation

January 20143 sources

The January 2014 outage: hours of downtime and a fake 'hack' claim

On 10–11 January 2014 Dropbox went dark for roughly two hours after an internal maintenance error, while a group calling itself 1775 Sec falsely claimed to have breached it — a hoax that briefly stoked panic about user data.

Security Incidents & Data BreachesReliability & Data Loss

Read documentation

20132 sources

DropSmack: turning Dropbox into a malware and data-theft channel

At Black Hat Europe 2013, a researcher demonstrated 'DropSmack,' a technique that abused Dropbox sync to slip malware past corporate firewalls and quietly exfiltrate company files.

Security Incidents & Data BreachesPrivacy & Encryption Concerns

Read documentation

June 20132 sources

Named in the NSA's PRISM slides as 'coming soon'

Among the classified NSA PRISM documents leaked by Edward Snowden, Dropbox appeared as a provider the surveillance program planned to add, listed as 'coming soon' — placing the company squarely inside the post-Snowden surveillance debate.

Privacy & Encryption Concerns

Read documentation

2012 (disclosed in full 2016)3 sources

The 2012 breach: 68 million user credentials stolen via a reused password

An attacker used a Dropbox employee's reused password to steal a file containing roughly 68 million users' email addresses and hashed passwords — a theft whose full scale only became public in 2016.

Security Incidents & Data BreachesPrivacy & Encryption Concerns

Read documentation

2011–2026 (ongoing)3 sources

Dropbox holds the keys: the design choice behind every privacy controversy

Dropbox encrypts files at rest, but the encryption keys belong to Dropbox, not the user. This server-side model — chosen to enable deduplication, previews, and search — means the company can read user files, the root cause critics return to again and again.

Privacy & Encryption Concerns

Read documentation

May 20113 sources

The 2011 FTC complaint: a researcher accuses Dropbox of misleading users about encryption

Security researcher Christopher Soghoian filed a complaint with the U.S. Federal Trade Commission alleging that Dropbox made deceptive claims about its encryption, because Dropbox employees could in fact access users' files.

Security Incidents & Data BreachesPrivacy & Encryption ConcernsLegal Actions & Lawsuits

Read documentation

April–May 20113 sources

The 2011 FTC complaint: marketing said staff couldn't read your files; the fine print said otherwise

Security researcher Christopher Soghoian filed an FTC complaint alleging Dropbox had told users their files were inaccessible even to Dropbox employees, while its actual architecture — and a quietly revised Terms of Service — made clear the company could decrypt and hand over files.

Privacy & Encryption ConcernsLegal Actions & Lawsuits

Read documentation

June 20113 sources

The 2011 authentication bug: any password unlocked any account

For nearly four hours on 19 June 2011, a code update left Dropbox accounts accessible with any password at all — anyone could sign in to any account by typing anything.

Security Incidents & Data BreachesPrivacy & Encryption Concerns

Read documentation