Search the Dropbox Watchdog archive
Ranked
A curated ranking of the most serious entries in the archive — weighing scale of harm, how avoidable each was, and how long the fallout lasted. Not a raw severity sort; an editorial judgment, with the reasoning shown.
The foundational breach: ~68M credentials stolen, not fully disclosed until 2016, still being re-weaponized in the 2024 'Mother of All Breaches.' Its consequences never really ended.
Read the documentation →For about four hours, any password unlocked any account. A total collapse of authentication — the single most complete security failure in Dropbox's history.
Read the documentation →Not an incident but the design decision beneath most of them: Dropbox holds your keys, so a breach, a subpoena, or its own staff can reach readable files. The root cause of the privacy and government-access record.
Read the documentation →The most recent major breach: emails, usernames, phone numbers, hashed passwords, and authentication data (API keys, OAuth tokens) exposed — triggering class actions that were later forced into individual arbitration.
Read the documentation →A Selective Sync bug permanently deleted users' files with no recovery — the archive's clearest case of the core promise (your files are safe) failing outright.
Read the documentation →Shared-link handling leaked private documents to third parties via referrer headers — confidential files exposed through a design oversight, not an attack.
Read the documentation →The moment the 2012 breach's true scale finally surfaced, forcing a mass password reset four years late — the textbook example of delayed breach disclosure.
Read the documentation →An FTC complaint alleging Dropbox misrepresented its encryption — the earliest formal challenge to the gap between Dropbox's security marketing and its actual architecture.
Read the documentation →Codified that U.S. legal process can reach Dropbox-held data stored anywhere in the world — the jurisdiction risk that makes server-held keys matter in practice.
Read the documentation →Demonstrated that stealing a sync token — no password needed — hands an attacker silent, persistent access to a victim's files.
Read the documentation →Dropbox sold 'as much space as you need,' then retroactively capped it — the sharpest bait-and-switch in the pricing record.
Read the documentation →A fifth of the company cut to fund an unproven AI pivot — the steepest single round in a multi-year workforce compression, and the human cost behind the efficiency story.
Read the documentation →Ranking is Dropbox Watchdog's editorial judgment, drawn from the sourced archive. Reasonable people will order these differently — every entry links to the full, cited documentation so you can weigh it yourself. Dropbox Watchdog is independent and not affiliated with Dropbox, Inc.