Loading…
Search the Dropbox Watchdog archive
Analysis
What Dropbox told users — next to what the record shows. Each pairing links to a fully-sourced entry in the archive.
“All files stored on Dropbox servers are encrypted and are inaccessible without your account password.”
Dropbox's early security marketing told users their files were private even from Dropbox staff.
What actually happened
A 2011 FTC complaint and Dropbox's own quiet terms revision established that Dropbox held the encryption keys and its employees could access unencrypted files.
Read the documented entry“Only you can access your account.”
Dropbox positioned authentication and two-step verification as robust account protection.
What actually happened
A 2011 bug let any password unlock any account for several hours; a 2013 flaw allowed bypassing two-step verification via email.
Read the documented entry“Your stuff is safe.”
A core, recurring Dropbox promise about the security of files and accounts.
What actually happened
Credentials for roughly 68 million accounts were stolen in 2012 — and the full scope wasn't disclosed until 2016, four years later.
Read the documented entry“We protect your privacy.”
Dropbox marketed itself as a trustworthy custodian of private files.
What actually happened
Leaked NSA slides listed Dropbox as 'coming soon' to the PRISM surveillance program, and Dropbox's own transparency reports show steadily rising government data demands it largely complies with.
Read the documented entry“Your files are always available and safe with us.”
Reliability and durability are central to a sync product's pitch.
What actually happened
A 2014 Selective Sync bug permanently deleted users' files — including one user's roughly 8,000 photos — with no recovery.
Read the documented entry“As much space as you need.”
Dropbox sold its Advanced plan with an effectively-unlimited storage promise.
What actually happened
In 2023 Dropbox walked the promise back, capping 'unlimited' plans and citing abuse — angering customers who had bought in on the original pledge.
Read the documented entry“Your data is yours; we don't use it to train AI.”
Dropbox reassured users about how their files are handled by AI features.
What actually happened
In 2023 users discovered a 'share with third-party AI' toggle switched on by default in most regions, sending data to OpenAI and triggering a privacy backlash.
Read the documented entry“Dropbox Sign: secure e-signatures you can trust.”
Dropbox marketed Sign (formerly HelloSign) for legally-important agreements.
What actually happened
The 2024 Dropbox Sign breach exposed emails, hashed passwords, API keys, OAuth tokens and MFA data — even for people who only ever received a document — and spawned class-action litigation.
Read the documented entryClaims are paraphrased to the substance of Dropbox's public positioning; each linked entry carries the primary sources. Dropbox Watchdog is independent and not affiliated with Dropbox, Inc.