Dropbox in 2013

An attacker used a Dropbox employee's reused password to steal a file containing roughly 68 million users' email addresses and hashed passwords — a theft whose full scale only became public in 2016.

Dropbox is subject to National Security Letters and FISA orders that arrive with gag provisions barring it from disclosing even that it received them; the most it can publish is a band such as '0–249' national-security requests.

Dropbox has published a biannual Transparency Report since 2012, and its own figures document a steady, long-run climb in government and law-enforcement demands for user data — including reporting periods where US legal-process requests jumped by roughly a third.

Dropbox encrypts files at rest, but the encryption keys belong to Dropbox, not the user. This server-side model — chosen to enable deduplication, previews, and search — means the company can read user files, the root cause critics return to again and again.

The DropSmack proof-of-concept warned that synced Dropbox folders could be a covert C2 and exfiltration channel; multiple real malware families — including BoxCaon, Crutch and tooling used by Kimsuky — went on to abuse Dropbox folders and the Dropbox API exactly that way.

The referral program that powered Dropbox's early viral growth — once worth substantial free storage — was steadily devalued, and some long-time users reported referral-earned space being clawed back to the bare 2GB minimum.

Dropbox paused all development and then killed Mailbox, the gesture-driven email app it had acquired in 2013 to enormous fanfare, telling devoted users to find a new client by 26 February 2016.

When Dropbox cannot reconcile two versions of a file, it preserves both — saving the loser as a duplicate stamped 'conflicted copy' — a data-safety mechanism that in practice creates lasting duplication and version confusion that users cannot turn off.

At Black Hat Europe 2013, a researcher demonstrated 'DropSmack,' a technique that abused Dropbox sync to slip malware past corporate firewalls and quietly exfiltrate company files.

At USENIX WOOT 2013, Dhiru Kholia and Przemyslaw Wegrzyn unpacked and decompiled Dropbox's obfuscated-Python desktop client, demonstrated SSL interception via code injection, and described a way to hijack accounts and bypass two-factor authentication.

Q-CERT researchers found that because Dropbox did not verify email addresses at signup, an attacker who already had a victim's password could register a near-duplicate email, enable 2FA on it, and use the resulting emergency code to switch off the real account's two-step verification.

Among the classified NSA PRISM documents leaked by Edward Snowden, Dropbox appeared as a provider the surveillance program planned to add, listed as 'coming soon' — placing the company squarely inside the post-Snowden surveillance debate.

Dropbox has kept its free Basic plan at just 2GB since its early days, even as Google Drive offered 15GB, OneDrive 5GB, and rivals like Mega offered 20GB — leaving Dropbox with the stingiest free allowance among the major cloud providers.

Dropbox's 'Drop-ins' — the Chooser and Saver widgets that let any app use Dropbox as an open/save dialog — launched in 2013 with fanfare, but the iOS and Android Choosers were later deprecated and the program stagnated as Dropbox steered its platform away from third-party developers toward its own collaboration features.