Dropbox in 2016

An attacker used a Dropbox employee's reused password to steal a file containing roughly 68 million users' email addresses and hashed passwords — a theft whose full scale only became public in 2016.

Four years after the 2012 breach, the stolen credentials surfaced in the wild, forcing Dropbox to reset the passwords of all users who had not changed them since mid-2012.

When the full 2012 credential dump resurfaced in 2016, Dropbox forced a password reset on every user who had signed up before mid-2012 and never changed their password — a sweeping operational response that, for many, was the first sign anything was wrong.

Dropbox has published a biannual Transparency Report since 2012, and its own figures document a steady, long-run climb in government and law-enforcement demands for user data — including reporting periods where US legal-process requests jumped by roughly a third.

Dropbox encrypts files at rest, but the encryption keys belong to Dropbox, not the user. This server-side model — chosen to enable deduplication, previews, and search — means the company can read user files, the root cause critics return to again and again.

Many third-party integrations request broad, full-Dropbox access rather than scoped, folder-limited permissions — so a single connected app, if compromised, can expose everything in an account.

The DropSmack proof-of-concept warned that synced Dropbox folders could be a covert C2 and exfiltration channel; multiple real malware families — including BoxCaon, Crutch and tooling used by Kimsuky — went on to abuse Dropbox folders and the Dropbox API exactly that way.

Dropbox's OAuth model historically let third-party apps request full account access, and tokens persist until revoked — so a single over-permissioned or compromised integration can read, write or delete a user's entire Dropbox without any further prompt.

The referral program that powered Dropbox's early viral growth — once worth substantial free storage — was steadily devalued, and some long-time users reported referral-earned space being clawed back to the bare 2GB minimum.

Dropbox deprecated its original API v1 in 2016 and shut it off on 28 September 2017, forcing every third-party developer to rewrite for the incompatible v2 or watch their Dropbox integration stop working.

Dropbox's move from the v1 Core API to API v2 was not a drop-in upgrade: error handling, authentication, permissions, and request formats all changed, forcing developers to rewrite integrations before v1 was switched off in 2017.

A persistent class of complaints describes Dropbox files that sit indefinitely in a 'syncing' state and never finish, leaving users unsure whether their data was actually uploaded — in some reported cases for months, with support unable to resolve it.

Synchronoss Technologies accused Dropbox of infringing three data-synchronization patents; Dropbox won summary judgment of non-infringement and invalidity in 2019, and the Federal Circuit affirmed in 2021.

Researchers revealed that Dropbox's Mac client used a user's admin password to directly edit macOS's protected TCC.db permissions database, inserting itself into the Accessibility list — a privacy/trust list that grants near-total control over the machine — without a clear, informed prompt.

Thru Inc. claimed it had used the term 'Dropbox' since 2004 and threatened the company's trademark; Dropbox sued first for declaratory relief, won summary judgment, and the Ninth Circuit affirmed — with a roughly $2.3 million attorneys'-fee award against Thru.

In April 2015 Dropbox announced it would retire the Sync API and the Datastore API, giving developers about a year to rewrite onto the Core API — apps that did not migrate stopped working when the Datastore API was shut down on 29 April 2016.

Dropbox paused all development and then killed Mailbox, the gesture-driven email app it had acquired in 2013 to enormous fanfare, telling devoted users to find a new client by 26 February 2016.

When Dropbox cannot reconcile two versions of a file, it preserves both — saving the loser as a duplicate stamped 'conflicted copy' — a data-safety mechanism that in practice creates lasting duplication and version confusion that users cannot turn off.

Because Dropbox mirrors a permissive server namespace onto stricter local filesystems, files with disallowed characters, over-long paths, or trailing periods can fail to sync or be silently renamed — sometimes without any clear warning to the user.

Dropbox has kept its free Basic plan at just 2GB since its early days, even as Google Drive offered 15GB, OneDrive 5GB, and rivals like Mega offered 20GB — leaving Dropbox with the stingiest free allowance among the major cloud providers.

Dropbox's 'Drop-ins' — the Chooser and Saver widgets that let any app use Dropbox as an open/save dialog — launched in 2013 with fanfare, but the iOS and Android Choosers were later deprecated and the program stagnated as Dropbox steered its platform away from third-party developers toward its own collaboration features.

Dropbox demoed 'Project Infinite' in 2016 as a way to see all cloud files on the desktop without using disk space, then shipped it in January 2017 rebranded as 'Smart Sync' — but restricted it to paying Business and Professional tiers rather than the free product its demo had implied.

After a review of the cloud-storage sector, the UK's Competition and Markets Authority secured voluntary commitments from providers including Dropbox in 2016 to improve unfair contract terms — covering notice of price and service changes, cancellation and refunds, and auto-renewal transparency.

Dropbox launched Carousel as a dedicated photo-and-video gallery app in 2014, then announced its closure barely 18 months later, shutting it down on 31 March 2016.

Before Dropbox acquired HelloSign in 2019, a patent-assertion entity called Digital Verification Systems had sued HelloSign over an electronic-signature patent — one of a wave of near-identical suits — leaving Dropbox to inherit the dispute along with the company.

Names that are distinct on Dropbox's case-sensitive, Unicode-tolerant servers but identical on Windows or macOS collide on sync, and Dropbox resolves the clash by silently appending '(Case Conflict)' or '(Unicode Encoding Conflict)' to one of the files.