Dropbox in 2014

A flaw in Dropbox's desktop Selective Sync feature permanently destroyed the files of users whose client crashed or was force-quit mid-operation — including one photographer who lost more than 8,000 irreplaceable images. Dropbox compensated affected users with a year of Dropbox Pro.

An attacker used a Dropbox employee's reused password to steal a file containing roughly 68 million users' email addresses and hashed passwords — a theft whose full scale only became public in 2016.

A subtle bug in a maintenance script reinstalled the operating system on a small number of active production database machines, knocking Dropbox offline starting Friday 10 January 2014, with full service not restored until Sunday.

Researchers found that Dropbox's shared links to supposedly private documents could leak to third parties — exposed through browser referer headers and, in some cases, surfacing in Google search results — revealing tax returns, bank records, and business plans.

After the 2013 PRISM disclosures named major US tech firms, Dropbox spent the following years documenting — through its own reports and advocacy — that it sits inside the same surveillance ecosystem: subject to NSLs, FISA orders and rising law-enforcement demands, with only banded, gagged disclosure permitted.

Dropbox is subject to National Security Letters and FISA orders that arrive with gag provisions barring it from disclosing even that it received them; the most it can publish is a band such as '0–249' national-security requests.

Dropbox has published a biannual Transparency Report since 2012, and its own figures document a steady, long-run climb in government and law-enforcement demands for user data — including reporting periods where US legal-process requests jumped by roughly a third.

Dropbox encrypts files at rest, but the encryption keys belong to Dropbox, not the user. This server-side model — chosen to enable deduplication, previews, and search — means the company can read user files, the root cause critics return to again and again.

Many third-party integrations request broad, full-Dropbox access rather than scoped, folder-limited permissions — so a single connected app, if compromised, can expose everything in an account.

The DropSmack proof-of-concept warned that synced Dropbox folders could be a covert C2 and exfiltration channel; multiple real malware families — including BoxCaon, Crutch and tooling used by Kimsuky — went on to abuse Dropbox folders and the Dropbox API exactly that way.

Dropbox's OAuth model historically let third-party apps request full account access, and tokens persist until revoked — so a single over-permissioned or compromised integration can read, write or delete a user's entire Dropbox without any further prompt.

The referral program that powered Dropbox's early viral growth — once worth substantial free storage — was steadily devalued, and some long-time users reported referral-earned space being clawed back to the bare 2GB minimum.

A persistent class of complaints describes Dropbox files that sit indefinitely in a 'syncing' state and never finish, leaving users unsure whether their data was actually uploaded — in some reported cases for months, with support unable to resolve it.

Thru Inc. claimed it had used the term 'Dropbox' since 2004 and threatened the company's trademark; Dropbox sued first for declaratory relief, won summary judgment, and the Ninth Circuit affirmed — with a roughly $2.3 million attorneys'-fee award against Thru.

Dropbox paused all development and then killed Mailbox, the gesture-driven email app it had acquired in 2013 to enormous fanfare, telling devoted users to find a new client by 26 February 2016.

Dropbox's April 2014 appointment of former Secretary of State Condoleezza Rice — a defender of warrantless wiretapping — to its board triggered the grassroots 'Drop Dropbox' campaign, and months later Edward Snowden publicly branded the service 'hostile to privacy.'

Hackers claimed to have stolen nearly 7 million Dropbox logins, posted batches on Pastebin, and demanded Bitcoin — but the credentials came from other breached services, not Dropbox itself.

A viral 2014 incident revealed that Dropbox compares the cryptographic hashes of files users try to share against a blacklist of DMCA-flagged content and blocks matches — surprising users who assumed their files were entirely private.

When Dropbox cannot reconcile two versions of a file, it preserves both — saving the loser as a duplicate stamped 'conflicted copy' — a data-safety mechanism that in practice creates lasting duplication and version confusion that users cannot turn off.

Because Dropbox mirrors a permissive server namespace onto stricter local filesystems, files with disallowed characters, over-long paths, or trailing periods can fail to sync or be silently renamed — sometimes without any clear warning to the user.

On 10–11 January 2014 Dropbox went dark for roughly two hours after an internal maintenance error, while a group calling itself 1775 Sec falsely claimed to have breached it — a hoax that briefly stoked panic about user data.

Responding to criticism of Dropbox's lack of zero-knowledge encryption, CEO Drew Houston framed the fact that Dropbox can access users' files as a deliberate 'trade-off between usability/convenience and security.'

Dropbox has kept its free Basic plan at just 2GB since its early days, even as Google Drive offered 15GB, OneDrive 5GB, and rivals like Mega offered 20GB — leaving Dropbox with the stingiest free allowance among the major cloud providers.

Dropbox's 'Drop-ins' — the Chooser and Saver widgets that let any app use Dropbox as an open/save dialog — launched in 2013 with fanfare, but the iOS and Android Choosers were later deprecated and the program stagnated as Dropbox steered its platform away from third-party developers toward its own collaboration features.

Dropbox launched Carousel as a dedicated photo-and-video gallery app in 2014, then announced its closure barely 18 months later, shutting it down on 31 March 2016.

Names that are distinct on Dropbox's case-sensitive, Unicode-tolerant servers but identical on Windows or macOS collide on sync, and Dropbox resolves the clash by silently appending '(Case Conflict)' or '(Unicode Encoding Conflict)' to one of the files.

Years before the California district attorneys' 2018 settlement, a private plaintiff brought a class action alleging Dropbox enrolled users in automatic subscription renewals without proper consent under California's Automatic Renewal Law; the case was removed to federal court and ended in a stipulated dismissal.

As thousands of intercepted Snapchat photos leaked in the so-called 'Snappening,' early reports tied Dropbox to the incident — but Dropbox flatly denied any involvement, and the actual leaks came from third-party apps and unrelated breaches, not Dropbox's systems.

Because gag orders bar providers from confirming secret national-security demands, some companies post a 'warrant canary' — a standing statement that disappears if such a demand arrives. Dropbox relies on banded transparency reporting rather than a canary, leaving the most sensitive demands invisible to users.