Dropbox in 2015

An attacker used a Dropbox employee's reused password to steal a file containing roughly 68 million users' email addresses and hashed passwords — a theft whose full scale only became public in 2016.

At Black Hat USA 2015, Imperva researchers showed that stealing a single synchronization token let an attacker take over a Dropbox account and read its files indefinitely — and that, in Dropbox's case, changing the password did not revoke the stolen token.

Dropbox has published a biannual Transparency Report since 2012, and its own figures document a steady, long-run climb in government and law-enforcement demands for user data — including reporting periods where US legal-process requests jumped by roughly a third.

Dropbox encrypts files at rest, but the encryption keys belong to Dropbox, not the user. This server-side model — chosen to enable deduplication, previews, and search — means the company can read user files, the root cause critics return to again and again.

Many third-party integrations request broad, full-Dropbox access rather than scoped, folder-limited permissions — so a single connected app, if compromised, can expose everything in an account.

The DropSmack proof-of-concept warned that synced Dropbox folders could be a covert C2 and exfiltration channel; multiple real malware families — including BoxCaon, Crutch and tooling used by Kimsuky — went on to abuse Dropbox folders and the Dropbox API exactly that way.

Dropbox's OAuth model historically let third-party apps request full account access, and tokens persist until revoked — so a single over-permissioned or compromised integration can read, write or delete a user's entire Dropbox without any further prompt.

The referral program that powered Dropbox's early viral growth — once worth substantial free storage — was steadily devalued, and some long-time users reported referral-earned space being clawed back to the bare 2GB minimum.

Dropbox's move from the v1 Core API to API v2 was not a drop-in upgrade: error handling, authentication, permissions, and request formats all changed, forcing developers to rewrite integrations before v1 was switched off in 2017.

A persistent class of complaints describes Dropbox files that sit indefinitely in a 'syncing' state and never finish, leaving users unsure whether their data was actually uploaded — in some reported cases for months, with support unable to resolve it.

Thru Inc. claimed it had used the term 'Dropbox' since 2004 and threatened the company's trademark; Dropbox sued first for declaratory relief, won summary judgment, and the Ninth Circuit affirmed — with a roughly $2.3 million attorneys'-fee award against Thru.

Dropbox runs every uploaded image and video through hash-matching systems such as Microsoft's PhotoDNA to detect known child sexual abuse material — automated scanning of users' private files that the company initially refused to explain.

Dropbox paused all development and then killed Mailbox, the gesture-driven email app it had acquired in 2013 to enormous fanfare, telling devoted users to find a new client by 26 February 2016.

In April 2015 Dropbox announced it would retire the Sync API and the Datastore API, giving developers about a year to rewrite onto the Core API — apps that did not migrate stopped working when the Datastore API was shut down on 29 April 2016.

On 30 August 2015 Dropbox suffered a worldwide outage that locked users out of their files; the company blamed an issue that arose during routine internal maintenance.

Because Dropbox mirrors a permissive server namespace onto stricter local filesystems, files with disallowed characters, over-long paths, or trailing periods can fail to sync or be silently renamed — sometimes without any clear warning to the user.

When Dropbox cannot reconcile two versions of a file, it preserves both — saving the loser as a duplicate stamped 'conflicted copy' — a data-safety mechanism that in practice creates lasting duplication and version confusion that users cannot turn off.

Dropbox has kept its free Basic plan at just 2GB since its early days, even as Google Drive offered 15GB, OneDrive 5GB, and rivals like Mega offered 20GB — leaving Dropbox with the stingiest free allowance among the major cloud providers.

Dropbox's 'Drop-ins' — the Chooser and Saver widgets that let any app use Dropbox as an open/save dialog — launched in 2013 with fanfare, but the iOS and Android Choosers were later deprecated and the program stagnated as Dropbox steered its platform away from third-party developers toward its own collaboration features.

Dropbox launched Carousel as a dedicated photo-and-video gallery app in 2014, then announced its closure barely 18 months later, shutting it down on 31 March 2016.

During the August 2015 global outage, Dropbox's status page reported service restored while many users were still locked out — a documented gap between the company's stated status and the actual experience of its users.

Names that are distinct on Dropbox's case-sensitive, Unicode-tolerant servers but identical on Windows or macOS collide on sync, and Dropbox resolves the clash by silently appending '(Case Conflict)' or '(Unicode Encoding Conflict)' to one of the files.

Years before the California district attorneys' 2018 settlement, a private plaintiff brought a class action alleging Dropbox enrolled users in automatic subscription renewals without proper consent under California's Automatic Renewal Law; the case was removed to federal court and ended in a stipulated dismissal.