Dropbox in 2024

An attacker compromised the production environment of Dropbox Sign (formerly HelloSign), exposing customer emails, usernames, phone numbers, hashed passwords, and authentication secrets including API keys, OAuth tokens, and MFA data.

Beyond the headline user decline, Dropbox flagged elevated churn and downsell in its teams business through 2025 — customers cancelling or trading down to cheaper plans — a retention problem analysts called a structural drag that cost-cutting alone cannot fix.

After years of growth, Dropbox's paying-user count began falling and revenue turned negative year-over-year through 2025, as the company shrank managed-sales investment and exited product lines — raising questions about the durability of its core subscription business.

Following the 2024 Dropbox Sign breach, affected users filed proposed class-action lawsuits accusing Dropbox of failing to secure their data and of notifying victims too slowly. Dropbox has contested the claims, arguing the exposed data poses no identity-theft risk.

Dropbox laid off about 528 employees — roughly 20% of its workforce — with CEO Drew Houston citing a maturing core business, soft demand, and the need for different AI skills as the company reorganized around its Dash product.

While laying off about 20% of staff in October 2024, Dropbox was simultaneously running large share buybacks — authorizing $1.2 billion in December 2024 and a further $1.5 billion in September 2025 — directing billions to shareholders even as it cut jobs and trimmed product investment.

After Dropbox disclosed the April 2024 Dropbox Sign breach, affected users filed proposed class actions in federal court alleging Dropbox negligently failed to protect their data and did not give prompt, adequate notice; the claims are allegations and the consolidated litigation followed in the Northern District of California.

Within weeks of the Dropbox Sign breach disclosure, users filed a proposed class action in California federal court alleging Dropbox failed to protect their data and was slow to notify them.

The HelloSign API was rebranded to the Dropbox Sign API in 2022, and after the 2024 Dropbox Sign breach the company rotated API keys and OAuth tokens — meaning developers who had embedded e-signature functionality had to update credentials and re-establish connections, not just rename a product.

Dropbox has published a biannual Transparency Report since 2012, and its own figures document a steady, long-run climb in government and law-enforcement demands for user data — including reporting periods where US legal-process requests jumped by roughly a third.

Dropbox encrypts files at rest, but the encryption keys belong to Dropbox, not the user. This server-side model — chosen to enable deduplication, previews, and search — means the company can read user files, the root cause critics return to again and again.

Across multiple years, attackers have built convincing fake Dropbox login pages — reached via PDF lures and redirect chains through trusted cloud storage — to harvest victims' real business email and Dropbox credentials.

The Better Business Bureau has logged more than 1,180 complaints against Dropbox over three years, dominated by surprise auto-renewal charges, denied refunds, and support tickets that vanish without resolution.

Dropbox shut down Dropbox Passwords, the password manager it had launched in 2020, in a phased 2025 wind-down ending 28 October 2025 — after which all stored credentials and payment cards were permanently deleted from its servers.

A succession of episodes — the 2023 OpenAI default-on toggle, the 2024 Dropbox Sign breach and litigation, two rounds of mass layoffs, declining users, and serial product shutdowns — has coalesced into a durable narrative that Dropbox is a fading incumbent whose trust and relevance are eroding.

Dropbox's AI-powered universal search, Dash, is billed separately from storage at roughly $15 per user per month for teams and $35 per user per month for business — meaning the 'AI era' Dropbox used to justify layoffs arrives as an extra charge rather than an included feature.

Dash connects to Google Workspace, Microsoft 365, Slack, Notion and more, and routes queries through large language models — leaving users to trust Dropbox's contractual assurances that connected and indexed data is not used to train third-party AI models.

After spending about $165M on DocSend (2021) and $95M on FormSwift (2022), Dropbox discontinued DocSend's Send & Track analytics in March 2025 and began winding down FormSwift in 2025 — abandoning roughly $260M of acquisitions while citing the wind-down as a drag on its own paying-user numbers.

Through 2025 Dropbox pushed Dash to general availability with self-serve sign-up and no IT required, marketing it as an AI assistant that indexes content across all of a user's connected apps — a model that, by design, reaches far beyond the files stored in Dropbox.

A persistent pattern of consumer complaints describes Dropbox auto-renewing annual subscriptions without clear advance notice, burying the downgrade option, and refusing refunds for unused time — practices now drawing legal scrutiny under state automatic-renewal laws.

Dropbox Paper, once promoted as the future of collaborative documents, was steadily de-emphasized: docs were migrated into the ordinary Dropbox filesystem from 2019, scattering folders and breaking the app's structure, and the Paper mobile app was discontinued in October 2025.

Dropbox has reorganized around Dash, an AI-powered search assistant, repeatedly describing its core file-sync product as 'mature' — leaving longtime users uncertain how much future investment the service they actually pay for will receive.

Dropbox repeatedly assures users that AI features do not train on their data and that content is deleted within 30 days — but because these are revocable policy promises layered over server-side access rather than technical guarantees, security commentators remain skeptical that the assurances will hold.

Dropbox has staked its future on Dash, but through 2025 the AI product had not yet produced meaningful revenue offsetting the declining core — leaving analysts to question whether the layoffs-funded pivot is generating returns or simply burning the runway.

Beyond credential phishing, attackers have used Dropbox links to deliver malware — distributing remote-access trojans such as AsyncRAT through Dropbox-hosted archives and shortcut files that abuse the service's trusted reputation to get past defenses.

A tracked vulnerability in the Dropbox desktop application for Windows could strip the 'Mark of the Web' flag from synced files, weakening a key warning that protects users from running downloaded, untrusted content.

State-aligned hacking groups, including North Korea's Kimsuky and ScarCruft, have repeatedly used the Dropbox API as a command-and-control and data-exfiltration channel, exploiting the fact that Dropbox traffic is trusted and rarely blocked.

Dropbox runs industry hash-matching (PhotoDNA, NCMEC and IWF hash lists) and an unhashed-content classifier across files added to or shared on the service, reporting matches to NCMEC — a legitimate child-safety system that is also, by design, a server-side scan of users' private content.

Check Point recorded thousands of attacks in which criminals hosted credential-harvesting documents on Dropbox itself, so the phishing emails came genuinely from [email protected] and sailed past filters that trust the Dropbox domain.

The Dropbox Dash Chrome extension requests permission to 'read and change all your data on all websites' and imports up to 90 days of browsing history — URLs, page titles, and page contents — to power its AI search.

A 2024 Proton analysis found Dropbox's privacy policy permits extensive data sharing with third parties — including Google, Amazon, OpenAI, Kissmetrics, and Stripe — and lets Dropbox volunteer user data to authorities in the vaguely defined 'public interest.'

Patent-assertion entity Daedalus Blue, holder of former IBM patents, sued Dropbox in August 2024, accusing the Dropbox API, the Magic Pocket storage system, and the Nautilus search engine of infringement; Dropbox's eligibility challenge was granted only in part, leaving the case alive.

The internal memo behind Dropbox's October 2024 cut of about 528 jobs admitted the company had 'over-invested' and grown too many layers of management; the second mass layoff in 18 months left employees rattled about the company's direction and stability.

Dropbox Basic (free) users get no email, chat or phone support — only the help center and community forum. Even paying Plus and Professional customers must first pass through a Dropbox AI assistant before they can reach email or live chat.

Patent-assertion entity Motion Offense accused Dropbox's file-sharing and Smart Sync features of infringing four patents and sought roughly $35.7 million; a Waco, Texas jury returned a defense verdict in May 2023, finding no infringement and all four patents invalid.

Since its 2018 IPO, Dropbox has steadily reoriented around higher-paying business customers and a 'Smart Workspace' strategy, layering price increases and feature-gating onto individual plans while shifting investment toward enterprise revenue.

Many third-party integrations request broad, full-Dropbox access rather than scoped, folder-limited permissions — so a single connected app, if compromised, can expose everything in an account.

The DropSmack proof-of-concept warned that synced Dropbox folders could be a covert C2 and exfiltration channel; multiple real malware families — including BoxCaon, Crutch and tooling used by Kimsuky — went on to abuse Dropbox folders and the Dropbox API exactly that way.

Dropbox's OAuth model historically let third-party apps request full account access, and tokens persist until revoked — so a single over-permissioned or compromised integration can read, write or delete a user's entire Dropbox without any further prompt.

On the eve of Dropbox's 2018 IPO, CEO Drew Houston received a stock award reported at about $110 million for 2017 — a performance grant that could be worth up to roughly $930 million — even as the company would later cut thousands of jobs across 2021, 2023, and 2024.

A persistent class of complaints describes Dropbox files that sit indefinitely in a 'syncing' state and never finish, leaving users unsure whether their data was actually uploaded — in some reported cases for months, with support unable to resolve it.

Because Dropbox mirrors a permissive server namespace onto stricter local filesystems, files with disallowed characters, over-long paths, or trailing periods can fail to sync or be silently renamed — sometimes without any clear warning to the user.

When Dropbox cannot reconcile two versions of a file, it preserves both — saving the loser as a duplicate stamped 'conflicted copy' — a data-safety mechanism that in practice creates lasting duplication and version confusion that users cannot turn off.

Dropbox publishes no list price for its Enterprise plan, requiring buyers to contact sales for a custom quote — an opacity that lets pricing vary by negotiation and obscures the true cost of moving an organization onto Dropbox.

Dropbox advertises Plus at $9.99 per month but charges $11.99 if you pay monthly instead of annually — a roughly 20% premium that pairs with non-refundable annual terms and auto-renewal to penalize the flexibility customers might want.

Dropbox uses cookies and machine learning to profile how engaged each user is — analyzing connected devices, storage used, file content, and sharing actions — to market premium services, with regional differences in what is on by default.

Dropbox has kept its free Basic plan at just 2GB since its early days, even as Google Drive offered 15GB, OneDrive 5GB, and rivals like Mega offered 20GB — leaving Dropbox with the stingiest free allowance among the major cloud providers.

When an account exceeds its quota, Dropbox can halt syncing — the core function users depend on — until they delete files or pay more, while the path to downgrade a plan or step back to free is comparatively buried, wrapped in loss warnings, and locked behind non-refundable annual terms.

After nearly four years of litigation, a Texas jury found Dropbox did not infringe four file-sharing patents asserted by Motion Offense LLC, defeating a roughly $35 million damages demand — part of a wider patent fight Dropbox largely won.

Datanet LLC sued Dropbox in October 2022 over two patents on automatic real-time file management; Dropbox challenged the patents at the patent office, and the district-court docket closed in March 2024.

Dropbox Sign (formerly HelloSign) is sold as a wholly separate subscription — a free tier capped at three documents per month, then Essentials at about $15, Standard at about $25, and Premium at roughly $40 per user per month — so existing Dropbox storage customers must pay again, per seat, to sign documents.

Users have long complained that Dropbox badgers them with upgrade prompts, full-page upsell interstitials, in-app badges, and marketing emails — pressure that hits not only free accounts but, by users' accounts, paying Professional customers too.

Topia Technology sued Dropbox and other cloud-storage companies over two file-synchronization patents; rather than fight in court, Dropbox and Box challenged the patents at the Patent Trial and Appeal Board, which found the claims unpatentable — a result later affirmed by the Federal Circuit.

Dropbox Transfer lets users send files via a link, but its meaningful size limits are gated by tier: free Basic and entry plans are capped at 2 GB per transfer, with the headline 100 GB (and 250 GB with a Replay add-on) reserved for higher-priced business tiers.

Dropbox's 'Drop-ins' — the Chooser and Saver widgets that let any app use Dropbox as an open/save dialog — launched in 2013 with fanfare, but the iOS and Android Choosers were later deprecated and the program stagnated as Dropbox steered its platform away from third-party developers toward its own collaboration features.

Names that are distinct on Dropbox's case-sensitive, Unicode-tolerant servers but identical on Windows or macOS collide on sync, and Dropbox resolves the clash by silently appending '(Case Conflict)' or '(Unicode Encoding Conflict)' to one of the files.