Year archive

Dropbox in 2011

9 documented issues from 2011 — most severe first.

2001 All years 2012

June 20113 sources

Criticalfewer than 1% of accounts accessed during the window

The 2011 authentication bug: any password unlocked any account

For nearly four hours on 19 June 2011, a code update left Dropbox accounts accessible with any password at all — anyone could sign in to any account by typing anything.

Security Incidents & Data BreachesPrivacy & Encryption Concerns

Read documentation

April 20113 sources

High

'Insecure by design': the 2011 host_id flaw that let a copied config file hijack any account

Researcher Derek Newton showed that Dropbox's desktop client stored an unencrypted authentication token (host_id) in a local config.db file — copy that one value to another machine and you owned the victim's account, with no password and no notification.

Security Incidents & Data BreachesPrivacy & Encryption Concerns

Read documentation

April–May 20113 sources

High

The 2011 FTC complaint: marketing said staff couldn't read your files; the fine print said otherwise

Security researcher Christopher Soghoian filed an FTC complaint alleging Dropbox had told users their files were inaccessible even to Dropbox employees, while its actual architecture — and a quietly revised Terms of Service — made clear the company could decrypt and hand over files.

Privacy & Encryption ConcernsLegal Actions & Lawsuits

Read documentation

2011–2026 (ongoing)3 sources

High

Dropbox holds the keys: the design choice behind every privacy controversy

Dropbox encrypts files at rest, but the encryption keys belong to Dropbox, not the user. This server-side model — chosen to enable deduplication, previews, and search — means the company can read user files, the root cause critics return to again and again.

Privacy & Encryption Concerns

Read documentation

May 20113 sources

High

The 2011 FTC complaint: a researcher accuses Dropbox of misleading users about encryption

Security researcher Christopher Soghoian filed a complaint with the U.S. Federal Trade Commission alleging that Dropbox made deceptive claims about its encryption, because Dropbox employees could in fact access users' files.

Security Incidents & Data BreachesPrivacy & Encryption ConcernsLegal Actions & Lawsuits

Read documentation

2008–20233 sources

Medium

The shrinking referral bonus: free storage that quietly lost its value

The referral program that powered Dropbox's early viral growth — once worth substantial free storage — was steadily devalued, and some long-time users reported referral-earned space being clawed back to the bare 2GB minimum.

Product Changes & User BacklashPricing & Business Practices

Read documentation

20112 sources

Medium

Deduplication by hash: fingerprinting that can reveal whether a file already exists

Dropbox splits files into blocks, hashes each with SHA-256, and stores only one copy of any block it already holds — a cost-saving design that researcher Christopher Soghoian warned could leak whether a given file already exists on Dropbox's servers.

Privacy & Encryption Concerns

Read documentation

2008–20263 sources

Low

The frozen 2GB: a free tier that never grew while competitors gave more

Dropbox has kept its free Basic plan at just 2GB since its early days, even as Google Drive offered 15GB, OneDrive 5GB, and rivals like Mega offered 20GB — leaving Dropbox with the stingiest free allowance among the major cloud providers.

Product Changes & User BacklashPricing & Business Practices

Read documentation

20112 sources

Low

Wong v. Dropbox: a class action over the 2011 'any password' bug

Days after Dropbox disclosed the June 2011 bug that briefly let anyone sign into any account with any password, a plaintiff filed a class action alleging privacy and consumer-protection violations; the case was terminated within four months.

Security Incidents & Data BreachesLegal Actions & Lawsuits

Read documentation