Dropbox in 2023

The HelloSign API was rebranded to the Dropbox Sign API in 2022, and after the 2024 Dropbox Sign breach the company rotated API keys and OAuth tokens — meaning developers who had embedded e-signature functionality had to update credentials and re-establish connections, not just rename a product.

After years of advertising Dropbox Advanced as offering 'as much space as you need,' Dropbox replaced unlimited storage with metered tiers in August 2023, blaming a small group of heavy users including crypto miners and storage resellers.

In April 2023 Dropbox cut about 500 jobs — 16% of its workforce — with CEO Drew Houston attributing the move partly to 'the AI era of computing,' a framing critics saw as repackaging cost-cutting as strategic transformation at a profitable company.

If a user enables two-factor authentication and later loses their authenticator app, backup phone and emergency backup code, Dropbox support has told users it has no process to restore access — and the account, with all its files, is effectively lost.

Dropbox can disable an account for policy violations — and when it does, all access to the account and its files is terminated at once. Users widely report being locked out with little explanation, and that some disablings are triggered by automated abuse-detection.

If a Dropbox account exceeds its (often downgraded) storage quota, users may lose the ability to sync, upload, share, move or even preview files — and if it stays over the limit, Dropbox 'may delete files you own' to force the account back under quota.

Dropbox's forced migration to Apple's File Provider framework on macOS Monterey and Ventura brought runaway CPU usage, stalled syncing, and reports of locally available folders silently reverting to online-only — experienced by some users as data loss.

Dropbox has published a biannual Transparency Report since 2012, and its own figures document a steady, long-run climb in government and law-enforcement demands for user data — including reporting periods where US legal-process requests jumped by roughly a third.

Dropbox encrypts files at rest, but the encryption keys belong to Dropbox, not the user. This server-side model — chosen to enable deduplication, previews, and search — means the company can read user files, the root cause critics return to again and again.

Across multiple years, attackers have built convincing fake Dropbox login pages — reached via PDF lures and redirect chains through trusted cloud storage — to harvest victims' real business email and Dropbox credentials.

Dropbox repeatedly assures users that AI features do not train on their data and that content is deleted within 30 days — but because these are revocable policy promises layered over server-side access rather than technical guarantees, security commentators remain skeptical that the assurances will hold.

Dropbox Paper, once promoted as the future of collaborative documents, was steadily de-emphasized: docs were migrated into the ordinary Dropbox filesystem from 2019, scattering folders and breaking the app's structure, and the Paper mobile app was discontinued in October 2025.

After spending about $165M on DocSend (2021) and $95M on FormSwift (2022), Dropbox discontinued DocSend's Send & Track analytics in March 2025 and began winding down FormSwift in 2025 — abandoning roughly $260M of acquisitions while citing the wind-down as a drag on its own paying-user numbers.

The Better Business Bureau has logged more than 1,180 complaints against Dropbox over three years, dominated by surprise auto-renewal charges, denied refunds, and support tickets that vanish without resolution.

A persistent pattern of consumer complaints describes Dropbox auto-renewing annual subscriptions without clear advance notice, burying the downgrade option, and refusing refunds for unused time — practices now drawing legal scrutiny under state automatic-renewal laws.

Dropbox shut down Dropbox Passwords, the password manager it had launched in 2020, in a phased 2025 wind-down ending 28 October 2025 — after which all stored credentials and payment cards were permanently deleted from its servers.

A succession of episodes — the 2023 OpenAI default-on toggle, the 2024 Dropbox Sign breach and litigation, two rounds of mass layoffs, declining users, and serial product shutdowns — has coalesced into a durable narrative that Dropbox is a fading incumbent whose trust and relevance are eroding.

The Dropbox Dash Chrome extension requests permission to 'read and change all your data on all websites' and imports up to 90 days of browsing history — URLs, page titles, and page contents — to power its AI search.

State-aligned hacking groups, including North Korea's Kimsuky and ScarCruft, have repeatedly used the Dropbox API as a command-and-control and data-exfiltration channel, exploiting the fact that Dropbox traffic is trusted and rarely blocked.

Dropbox offers no legacy-contact or memorialization feature. To obtain a deceased person's files, the next of kin must generally produce a court order compelling disclosure — a slow, expensive barrier that leaves grieving families locked out of irreplaceable data.

Dropbox teams must always have at least one admin, but when a sole admin leaves, is offboarded, or loses access, the rest of the team can be locked out of administration — and recovering control or transferring ownership often requires a slow special support process.

Dropbox sends one-time verification codes for new-device or unusual logins, but when the code goes to an outdated phone number or an inbox the user can no longer reach, legitimate owners report being unable to sign in — and the questionnaire-based recovery often fails.

Users widely report being charged after cancelling, billed on accounts they thought were closed, and unable to get Dropbox support to issue refunds — often resolved only after escalating to the BBB. The BBB has published a pattern alert tied to these complaints.

Dropbox deems a free account inactive after 12 months with no log-in or file activity; the account is then disabled and, after a further period, its files are deleted. Users widely report having data erased while assuming Dropbox was a safe long-term store.

Dropbox enforces rate limits it does not publish, returning HTTP 429 errors — including a separate too_many_write_operations limit triggered by parallel writes to the same folder — that can throttle backup tools and bulk integrations without warning.

Patent-assertion entity Motion Offense accused Dropbox's file-sharing and Smart Sync features of infringing four patents and sought roughly $35.7 million; a Waco, Texas jury returned a defense verdict in May 2023, finding no infringement and all four patents invalid.

Tied to Apple's File Provider requirements, Dropbox announced in 2023 that its Mac client could no longer sync to or store the Dropbox folder on an external drive, forcing all content onto the boot volume and breaking workflows built on large external archives.

Since its 2018 IPO, Dropbox has steadily reoriented around higher-paying business customers and a 'Smart Workspace' strategy, layering price increases and feature-gating onto individual plans while shifting investment toward enterprise revenue.

Users discovered a 'third-party AI' setting that was switched on by default for most of the world, fueling fears that Dropbox was quietly feeding personal files to OpenAI. Dropbox said no data was passively sent and that files were not used to train models.

Dropbox promises a one-business-day email response on paid plans, but users widely report tickets sitting for days, being marked 'solved' without a fix, or being told to use the volunteer community forum — with some getting traction only after filing a BBB complaint.

Many third-party integrations request broad, full-Dropbox access rather than scoped, folder-limited permissions — so a single connected app, if compromised, can expose everything in an account.

The DropSmack proof-of-concept warned that synced Dropbox folders could be a covert C2 and exfiltration channel; multiple real malware families — including BoxCaon, Crutch and tooling used by Kimsuky — went on to abuse Dropbox folders and the Dropbox API exactly that way.

Dropbox went 'Virtual First' in 2020, making remote the default and converting offices to drop-in studios — but the shift, layered on a record 2017 San Francisco headquarters lease, drove hundreds of millions in real-estate impairment charges, including roughly $400M+ tied to subleasing its HQ.

Dropbox's OAuth model historically let third-party apps request full account access, and tokens persist until revoked — so a single over-permissioned or compromised integration can read, write or delete a user's entire Dropbox without any further prompt.

The referral program that powered Dropbox's early viral growth — once worth substantial free storage — was steadily devalued, and some long-time users reported referral-earned space being clawed back to the bare 2GB minimum.

On the eve of Dropbox's 2018 IPO, CEO Drew Houston received a stock award reported at about $110 million for 2017 — a performance grant that could be worth up to roughly $930 million — even as the company would later cut thousands of jobs across 2021, 2023, and 2024.

A persistent class of complaints describes Dropbox files that sit indefinitely in a 'syncing' state and never finish, leaving users unsure whether their data was actually uploaded — in some reported cases for months, with support unable to resolve it.

Because Dropbox mirrors a permissive server namespace onto stricter local filesystems, files with disallowed characters, over-long paths, or trailing periods can fail to sync or be silently renamed — sometimes without any clear warning to the user.

When Dropbox cannot reconcile two versions of a file, it preserves both — saving the loser as a duplicate stamped 'conflicted copy' — a data-safety mechanism that in practice creates lasting duplication and version confusion that users cannot turn off.

Dropbox publishes no list price for its Enterprise plan, requiring buyers to contact sales for a custom quote — an opacity that lets pricing vary by negotiation and obscures the true cost of moving an organization onto Dropbox.

Dropbox uses cookies and machine learning to profile how engaged each user is — analyzing connected devices, storage used, file content, and sharing actions — to market premium services, with regional differences in what is on by default.

Dropbox advertises Plus at $9.99 per month but charges $11.99 if you pay monthly instead of annually — a roughly 20% premium that pairs with non-refundable annual terms and auto-renewal to penalize the flexibility customers might want.

Dropbox has kept its free Basic plan at just 2GB since its early days, even as Google Drive offered 15GB, OneDrive 5GB, and rivals like Mega offered 20GB — leaving Dropbox with the stingiest free allowance among the major cloud providers.

Dropbox's own engineering writing describes an analytics pipeline that logs fine-grained user-behavior events in its mobile apps — button clicks, navigation across screens, sign-in failures, upload timing — to study 'complex user scenarios.'

Dropbox rebranded HelloSign — the e-signature company it acquired in 2019 — as 'Dropbox Sign' in 2023, absorbing its identity into the Dropbox brand a year before the product suffered a major breach.

A new Dropbox app starts in development status capped at 500 linked users, and once it reaches 50 users the developer has just two weeks to apply for and receive production approval — otherwise the app is frozen and cannot link any new users.

When an account exceeds its quota, Dropbox can halt syncing — the core function users depend on — until they delete files or pay more, while the path to downgrade a plan or step back to free is comparatively buried, wrapped in loss warnings, and locked behind non-refundable annual terms.

After nearly four years of litigation, a Texas jury found Dropbox did not infringe four file-sharing patents asserted by Motion Offense LLC, defeating a roughly $35 million damages demand — part of a wider patent fight Dropbox largely won.

Dropbox Sign (formerly HelloSign) is sold as a wholly separate subscription — a free tier capped at three documents per month, then Essentials at about $15, Standard at about $25, and Premium at roughly $40 per user per month — so existing Dropbox storage customers must pay again, per seat, to sign documents.

Datanet LLC sued Dropbox in October 2022 over two patents on automatic real-time file management; Dropbox challenged the patents at the patent office, and the district-court docket closed in March 2024.

Topia Technology sued Dropbox and other cloud-storage companies over two file-synchronization patents; rather than fight in court, Dropbox and Box challenged the patents at the Patent Trial and Appeal Board, which found the claims unpatentable — a result later affirmed by the Federal Circuit.

Users have long complained that Dropbox badgers them with upgrade prompts, full-page upsell interstitials, in-app badges, and marketing emails — pressure that hits not only free accounts but, by users' accounts, paying Professional customers too.

Dropbox Transfer lets users send files via a link, but its meaningful size limits are gated by tier: free Basic and entry plans are capped at 2 GB per transfer, with the headline 100 GB (and 250 GB with a Replay add-on) reserved for higher-priced business tiers.

Dropbox's 'Drop-ins' — the Chooser and Saver widgets that let any app use Dropbox as an open/save dialog — launched in 2013 with fanfare, but the iOS and Android Choosers were later deprecated and the program stagnated as Dropbox steered its platform away from third-party developers toward its own collaboration features.

Names that are distinct on Dropbox's case-sensitive, Unicode-tolerant servers but identical on Windows or macOS collide on sync, and Dropbox resolves the clash by silently appending '(Case Conflict)' or '(Unicode Encoding Conflict)' to one of the files.