Search the Dropbox Watchdog archive
An attacker used a Dropbox employee's reused password to steal a file containing roughly 68 million users' email addresses and hashed passwords — a theft whose full scale only became public in 2016.
For nearly four hours on 19 June 2011, a code update left Dropbox accounts accessible with any password at all — anyone could sign in to any account by typing anything.
Dropbox closed fiscal 2025 with revenue of about $2.52 billion, down roughly 1% year over year, paying users down to 18.07 million, and guidance for 2026 of essentially flat revenue — confirming that the core business has stopped growing even as margins expand.
After years of growth, Dropbox's paying-user count began falling and revenue turned negative year-over-year through 2025, as the company shrank managed-sales investment and exited product lines — raising questions about the durability of its core subscription business.
Dropbox can disable an account for policy violations — and when it does, all access to the account and its files is terminated at once. Users widely report being locked out with little explanation, and that some disablings are triggered by automated abuse-detection.
If a Dropbox account exceeds its (often downgraded) storage quota, users may lose the ability to sync, upload, share, move or even preview files — and if it stays over the limit, Dropbox 'may delete files you own' to force the account back under quota.
Dropbox's forced migration to Apple's File Provider framework on macOS Monterey and Ventura brought runaway CPU usage, stalled syncing, and reports of locally available folders silently reverting to online-only — experienced by some users as data loss.
The 2018 CLOUD Act amended US law so that a US-based provider like Dropbox can be compelled to produce a user's data regardless of which country the data is physically stored in — meaning a US warrant can reach an overseas user's files.
In January 2017 files and folders that users had deleted — in some cases as far back as 2009 — suddenly reappeared in their accounts, revealing that 'deleted' data had been retained on Dropbox's servers far longer than its own policy promised.
When the full 2012 credential dump resurfaced in 2016, Dropbox forced a password reset on every user who had signed up before mid-2012 and never changed their password — a sweeping operational response that, for many, was the first sign anything was wrong.
After the 2013 PRISM disclosures named major US tech firms, Dropbox spent the following years documenting — through its own reports and advocacy — that it sits inside the same surveillance ecosystem: subject to NSLs, FISA orders and rising law-enforcement demands, with only banded, gagged disclosure permitted.
A subtle bug in a maintenance script reinstalled the operating system on a small number of active production database machines, knocking Dropbox offline starting Friday 10 January 2014, with full service not restored until Sunday.
Dropbox is subject to National Security Letters and FISA orders that arrive with gag provisions barring it from disclosing even that it received them; the most it can publish is a band such as '0–249' national-security requests.
Dropbox has published a biannual Transparency Report since 2012, and its own figures document a steady, long-run climb in government and law-enforcement demands for user data — including reporting periods where US legal-process requests jumped by roughly a third.
Dropbox encrypts files at rest, but the encryption keys belong to Dropbox, not the user. This server-side model — chosen to enable deduplication, previews, and search — means the company can read user files, the root cause critics return to again and again.
Security researcher Christopher Soghoian filed a complaint with the U.S. Federal Trade Commission alleging that Dropbox made deceptive claims about its encryption, because Dropbox employees could in fact access users' files.
Security researcher Christopher Soghoian filed an FTC complaint alleging Dropbox had told users their files were inaccessible even to Dropbox employees, while its actual architecture — and a quietly revised Terms of Service — made clear the company could decrypt and hand over files.
Across multiple years, attackers have built convincing fake Dropbox login pages — reached via PDF lures and redirect chains through trusted cloud storage — to harvest victims' real business email and Dropbox credentials.
In November 2025 Google launched a tool to move files out of Dropbox Business into Google Drive, a pointed bid to convert Dropbox customers — and a sign of how exposed Dropbox's commodity-storage business is to free, bundled offerings from far larger rivals.
A 2024 Proton analysis found Dropbox's privacy policy permits extensive data sharing with third parties — including Google, Amazon, OpenAI, Kissmetrics, and Stripe — and lets Dropbox volunteer user data to authorities in the vaguely defined 'public interest.'
Dropbox runs industry hash-matching (PhotoDNA, NCMEC and IWF hash lists) and an unhashed-content classifier across files added to or shared on the service, reporting matches to NCMEC — a legitimate child-safety system that is also, by design, a server-side scan of users' private content.
Tied to Apple's File Provider requirements, Dropbox announced in 2023 that its Mac client could no longer sync to or store the Dropbox folder on an external drive, forcing all content onto the boot volume and breaking workflows built on large external archives.
Since its 2018 IPO, Dropbox has steadily reoriented around higher-paying business customers and a 'Smart Workspace' strategy, layering price increases and feature-gating onto individual plans while shifting investment toward enterprise revenue.
Dropbox deems a free account inactive after 12 months with no log-in or file activity; the account is then disabled and, after a further period, its files are deleted. Users widely report having data erased while assuming Dropbox was a safe long-term store.
Patent-assertion entity Motion Offense accused Dropbox's file-sharing and Smart Sync features of infringing four patents and sought roughly $35.7 million; a Waco, Texas jury returned a defense verdict in May 2023, finding no infringement and all four patents invalid.
Dropbox's Smart Sync depended on a macOS kernel extension to present space-saving 'online-only' placeholder files; when Apple deprecated third-party kexts in macOS 12.3, opening those online-only files could break until Dropbox re-engineered the feature.
Entangled Media sued Dropbox over two patents on cloud-based file systems; the patent office declined to review the patents, and in 2025 the court issued a mixed summary-judgment ruling, leaving the dispute contested rather than resolved.
Dropbox's own Transparency Report shows that a large share of the search warrants it receives arrive with indefinite non-disclosure orders, leaving the company unable to ever notify those users that the government took their data.
The DropSmack proof-of-concept warned that synced Dropbox folders could be a covert C2 and exfiltration channel; multiple real malware families — including BoxCaon, Crutch and tooling used by Kimsuky — went on to abuse Dropbox folders and the Dropbox API exactly that way.
European courts and regulators treat data held by US providers as inherently reachable by US surveillance under FISA Section 702 and the CLOUD Act — a structural concern that applies to any US-controlled cloud service, including Dropbox, regardless of where servers sit.
A persistent class of complaints describes Dropbox files that sit indefinitely in a 'syncing' state and never finish, leaving users unsure whether their data was actually uploaded — in some reported cases for months, with support unable to resolve it.
Synchronoss Technologies accused Dropbox of infringing three data-synchronization patents; Dropbox won summary judgment of non-infringement and invalidity in 2019, and the Federal Circuit affirmed in 2021.
Dropbox runs every uploaded image and video through hash-matching systems such as Microsoft's PhotoDNA to detect known child sexual abuse material — automated scanning of users' private files that the company initially refused to explain.
On 30 August 2015 Dropbox suffered a worldwide outage that locked users out of their files; the company blamed an issue that arose during routine internal maintenance.
Responding to criticism of Dropbox's lack of zero-knowledge encryption, CEO Drew Houston framed the fact that Dropbox can access users' files as a deliberate 'trade-off between usability/convenience and security.'
Because Dropbox mirrors a permissive server namespace onto stricter local filesystems, files with disallowed characters, over-long paths, or trailing periods can fail to sync or be silently renamed — sometimes without any clear warning to the user.
When Dropbox cannot reconcile two versions of a file, it preserves both — saving the loser as a duplicate stamped 'conflicted copy' — a data-safety mechanism that in practice creates lasting duplication and version confusion that users cannot turn off.
Hackers claimed to have stolen nearly 7 million Dropbox logins, posted batches on Pastebin, and demanded Bitcoin — but the credentials came from other breached services, not Dropbox itself.
On 10–11 January 2014 Dropbox went dark for roughly two hours after an internal maintenance error, while a group calling itself 1775 Sec falsely claimed to have breached it — a hoax that briefly stoked panic about user data.
At Black Hat Europe 2013, a researcher demonstrated 'DropSmack,' a technique that abused Dropbox sync to slip malware past corporate firewalls and quietly exfiltrate company files.
Among the classified NSA PRISM documents leaked by Edward Snowden, Dropbox appeared as a provider the surveillance program planned to add, listed as 'coming soon' — placing the company squarely inside the post-Snowden surveillance debate.
Q-CERT researchers found that because Dropbox did not verify email addresses at signup, an attacker who already had a victim's password could register a near-duplicate email, enable 2FA on it, and use the resulting emergency code to switch off the real account's two-step verification.
Dropbox splits files into blocks, hashes each with SHA-256, and stores only one copy of any block it already holds — a cost-saving design that researcher Christopher Soghoian warned could leak whether a given file already exists on Dropbox's servers.
The 2001 USA PATRIOT Act expanded US government access to records held by domestic companies and became the original reason foreign organizations distrusted storing data with US cloud providers — a concern that still attaches to Dropbox today.
Under the 1986 Stored Communications Act, US law enforcement can obtain a Dropbox user's basic subscriber records with a subpoena, account usage records with a court order, and the actual contents of their files with a search warrant — a tiered framework Dropbox publishes in its own guidelines.
Dropbox uses cookies and machine learning to profile how engaged each user is — analyzing connected devices, storage used, file content, and sharing actions — to market premium services, with regional differences in what is on by default.
Datanet LLC sued Dropbox in October 2022 over two patents on automatic real-time file management; Dropbox challenged the patents at the patent office, and the district-court docket closed in March 2024.
Topia Technology sued Dropbox and other cloud-storage companies over two file-synchronization patents; rather than fight in court, Dropbox and Box challenged the patents at the Patent Trial and Appeal Board, which found the claims unpatentable — a result later affirmed by the Federal Circuit.
Patent-assertion entity SynKloud Technologies sued Dropbox in the Western District of Texas over patents on wireless-device access to remote storage; Dropbox's bid to move the case to California was denied, while SynKloud's broader patent campaign unraveled at the patent office.
Names that are distinct on Dropbox's case-sensitive, Unicode-tolerant servers but identical on Windows or macOS collide on sync, and Dropbox resolves the clash by silently appending '(Case Conflict)' or '(Unicode Encoding Conflict)' to one of the files.
During the August 2015 global outage, Dropbox's status page reported service restored while many users were still locked out — a documented gap between the company's stated status and the actual experience of its users.
Because gag orders bar providers from confirming secret national-security demands, some companies post a 'warrant canary' — a standing statement that disappears if such a demand arrives. Dropbox relies on banded transparency reporting rather than a canary, leaving the most sensitive demands invisible to users.
As thousands of intercepted Snapchat photos leaked in the so-called 'Snappening,' early reports tied Dropbox to the incident — but Dropbox flatly denied any involvement, and the actual leaks came from third-party apps and unrelated breaches, not Dropbox's systems.
Days after Dropbox disclosed the June 2011 bug that briefly let anyone sign into any account with any password, a plaintiff filed a class action alleging privacy and consumer-protection violations; the case was terminated within four months.