ProtonBlog(new window)
Dropbox security issues

A timeline of Dropbox security issues

Share this page

Dropbox was the first mainstream cloud storage(new window) service available and has blazed many trails for the industry. Sadly, it has also made a lot of missteps over the years, the worst of which was the Dropbox breach of 2012, the biggest the industry has seen. We put together this timeline of Dropbox security issues so you can decide for yourself if this is still the provider for you.

If after reading you’re ready to make the jump, check out this quick guide to deleting your Dropbox account(new window). And finally, as you’re considering a Dropbox alternative, we also share information below about Proton Drive, which is a lot more secure.

Dropbox security breaches: a timeline

Dropbox was started in 2008 and from 2011 has experienced some kind of breach almost every year since then, though the pace has slowed down somewhat recently. Still, when deciding which cloud storage service to trust with your files, it’s important to look at their track record.

2011: Dropbox password bug

Dropbox’s first scandal came in June 2011, just three years after it was founded. Thanks to a bug, for a period of about four hours the Dropbox system would accept any password(new window) you gave it, meaning that anybody could gain access to any account as long as they knew the username or email — a good case for using a safe username(new window)

That said, it should be noted that actually fixing the issue took the Dropbox team just five minutes once they were notified about it. However, during those four hours every Dropbox account was wide open. It was pure luck that no attackers found out about the vulnerability in that time span.

2012: Dropbox breach, 78 million passwords compromised

In July 2012, Dropbox reported(new window) that some usernames and passwords were stolen from other sites and then used to access Dropbox (a good reason to create strong passwords(new window) for each site separately). Dropbox responded by deploying security measures to make unauthorized access harder.

So far, so good, but in 2016 it came out that Dropbox hadn’t told the whole story(new window): Among those hacked in 2012 was a Dropbox employee who had used his company password on LinkedIn, as well. This gave the attackers access to Dropbox’s systems. 

Once the story broke in 2016 — four years after the initial breach — it quickly came out that around 68 million users had been compromised, making it the biggest hack in cloud storage history, and one of the bigger ones in internet history, period. On top of that was the scandal of Dropbox, a huge company, taking four years to acknowledge the full scale of the damage done. 

2013: PRISM allegations

When in 2013 Edward Snowden revealed to The Guardian newspaper that the United States government was spying on people all over the world through the PRISM program, one of the names(new window) that came up was Dropbox. According to Snowden, the company was eager to work with the US authorities, calling it a “wannabe PRISM partner(new window)”.

It’s unclear whether Dropbox ever joined the PRISM project — the company has always denied doing so — but it should probably give people pause that any cloud storage service would be described as being enthusiastic to join a massive surveillance conspiracy.

2017: Resurrected data

In January 2017, some Dropbox users encountered something very odd: Files they had deleted, in some cases years ago, suddenly reappeared in their Dropbox accounts. After some research, Dropbox found a bug(new window) had crept into the code that prevented files and folders from being permanently deleted.

Though it may seem harmless at first, we often delete files for a reason and the fact that possible sensitive data may have kept living a ghost-like existence even after being destroyed is a very serious issue. Again, not something you’d expect from a company like Dropbox.

2018: Data shared without consent

In July 2018, an interesting Harvard study(new window) was published in which the collaborative efforts of thousands of people were used as data points to determine how teams can work together. Riveting stuff that came up with some very original findings. The data used, though, was data from Dropbox, and the people involved were never asked(new window) if it could be used this way.

Though the data used was anonymized before being sent to the researchers (something that wasn’t made clear in the first version of the article), it should still make you uncomfortable that a service you trusted with your data shared it with third parties without your say-so, anonymized or not. 

On top of that, you could argue that anonymous data isn’t all that anonymous(new window) as there are ways to reconstruct somebody’s identity even when names are removed from digital dossiers.

2022: Return of the phishing attack

The most recent Dropbox scandal was in November 2022, when once again a Dropbox employee’s credentials were stolen(new window) during a phishing attack. 

This time around, the attackers impersonated GitHub, a site where developers store their code. In this case, the thieves made off with emails and passwords belonging to both Dropbox employees as well as customers. It should also be noted that it was GitHub itself which flagged the attack, not Dropbox.

In response, Dropbox stated that at no time were customer files in danger, nor were any of its core modules, the parts that make up Dropbox and therefore could threaten the whole system if exposed. Lucky for them, but it’s cold comfort for anybody whose email was used by cybercriminals.

What can you use instead of Dropbox?

As the above timeline demonstrates, Dropbox could do a lot better than it does — and has done. Though it’s not LastPass levels of bad(new window), it has dropped the ball on more than one occasion. Often the scope and severity of the incidents were not reported by Dropbox, suggesting a lack of awareness or transparency. And more often than not the breaches were caused by poor security practices. 

In particular, Dropbox’s lack of end-to-end encryption(new window) is concerning. When a cloud storage service protects your files with end-to-end encryption, it means your data is encrypted on your device before going to the cloud. Any subsequent breach of the cloud servers would not result in any data being exposed. We go in more details of these and more in our article on Dropbox security(new window).

It’s with these flaws of mainstream cloud storage providers in mind that we developed Proton Drive, a secure, end-to-end encrypted alternative that offers top-of-the-line security and a pleasant user experience all in one. Even if we wanted to see your data — and we don’t, because our business model is to protect your privacy — we simply can’t access it anyway.

This promise of privacy has been at the core of Proton since we were founded, and thanks to our supporters, we have been able to do so without needing outside funding. So our only obligation is to you, our community. 

If using a secure and private cloud storage option sounds good to you, join Proton Drive for free and get a taste of what a private web would be like.

Protect your privacy with Proton
Create a free account

Share this page

Fergus O'Sullivan(new window)

Fergus has been a writer, journalist, and privacy advocate for close to a decade. In that time he has run investigations of the privacy industry, written on policy, and reviewed more programs and apps than you can shake a stick at. Before starting work at Proton, he worked for publications such as How-to Geek and Cloudwards, as well as helping host events at conferences like RightsCon.

Related articles

What is 3-2-1 backup
Data backup is vital for businesses and individuals alike: In case something happens to your primary computer, you always have a copy of your data to fall back on.  How should you approach backup, though? The 3-2-1 rule can act as a guide when decid
What was your first pet’s name? In what city were you born?  We’ve all had to answer these questions to reset a long-forgotten password, but consider how that works. Much of this information is easy to find for others (or easily forgotten by you), m
In the early days when Proton started, we often received a question along the lines of “I love the product and what Proton stands for, but how do I know you will still be around to protect my data 10 years from now?”  Ten years and 100 million accou
Credential stuffing is a popular type of cyberattack where attackers take login credentials and use them on thousands of websites, hoping to fraudulently gain access to people’s accounts. It’s an effective attack, but fortunately, one that’s easy to
With Skiff abruptly shutting down operations, many people are on the lookout for alternatives that don’t compromise on privacy — and won’t suddenly disappear. People were attracted to Skiff because it promised privacy, no ads, end-to-end encryption,
Skiff is dead. On Feb. 9, the email company Skiff announced it was being bought by Notion. Many Skiff customers have been shocked by this news, as their inboxes have been sold out from under them. Skiff gave people six months to export their data be