Proton
Dropbox security issues

Dropbox was the first mainstream cloud storage service available and has blazed many trails for the industry. Sadly, it has also made a lot of missteps over the years, the worst of which was the Dropbox breach of 2012, the biggest the industry has seen. We put together this timeline of Dropbox security issues so you can decide for yourself if this is still the provider for you.

If after reading you’re ready to make the jump, check out this quick guide to deleting your Dropbox account. And finally, as you’re considering a Dropbox alternative, we also share information below about Proton Drive, which is a lot more secure.

Dropbox security breaches: a timeline

Dropbox was started in 2008 and from 2011 has experienced some kind of breach almost every year since then, though the pace has slowed down somewhat recently. Still, when deciding which cloud storage service to trust with your files, it’s important to look at their track record.

2011: Dropbox password bug

Dropbox’s first scandal came in June 2011, just three years after it was founded. Thanks to a bug, for a period of about four hours the Dropbox system would accept any password(nieuw venster) you gave it, meaning that anybody could gain access to any account as long as they knew the username or email — a good case for using a safe username

That said, it should be noted that actually fixing the issue took the Dropbox team just five minutes once they were notified about it. However, during those four hours every Dropbox account was wide open. It was pure luck that no attackers found out about the vulnerability in that time span.

2012: Dropbox breach, 68 million passwords compromised

In July 2012, Dropbox reported(nieuw venster) that some usernames and passwords were stolen from other sites and then used to access Dropbox (a good reason to create strong passwords for each site separately). Dropbox responded by deploying security measures to make unauthorized access harder.

So far, so good, but in 2016 it came out that Dropbox hadn’t told the whole story(nieuw venster): Among those hacked in 2012 was a Dropbox employee who had used his company password on LinkedIn, as well. This gave the attackers access to Dropbox’s systems. 

Once the story broke in 2016 — four years after the initial breach — it quickly came out that around 68 million users had been compromised, making it the biggest hack in cloud storage history, and one of the bigger ones in internet history, period. On top of that was the scandal of Dropbox, a huge company, taking four years to acknowledge the full scale of the damage done. 

2013: PRISM allegations

When in 2013 Edward Snowden revealed to The Guardian newspaper that the United States government was spying on people all over the world through the PRISM program, one of the names(nieuw venster) that came up was Dropbox. According to Snowden, the company was eager to work with the US authorities, calling it a “wannabe PRISM partner(nieuw venster)”.

It’s unclear whether Dropbox ever joined the PRISM project — the company has always denied doing so — but it should probably give people pause that any cloud storage service would be described as being enthusiastic to join a massive surveillance conspiracy. 

2017: Resurrected data

In January 2017, some Dropbox users encountered something very odd: Files they had deleted, in some cases years ago, suddenly reappeared in their Dropbox accounts. After some research, Dropbox found a bug(nieuw venster) had crept into the code that prevented files and folders from being permanently deleted.

Though it may seem harmless at first, we often delete files for a reason and the fact that possible sensitive data may have kept living a ghost-like existence even after being destroyed is a very serious issue. Again, not something you’d expect from a company like Dropbox.

2018: Data shared without consent

In July 2018, an interesting Harvard study(nieuw venster) was published in which the collaborative efforts of thousands of people were used as data points to determine how teams can work together. Riveting stuff that came up with some very original findings. The data used, though, was data from Dropbox, and the people involved were never asked(nieuw venster) if it could be used this way.

Though the data used was anonymized before being sent to the researchers (something that wasn’t made clear in the first version of the article), it should still make you uncomfortable that a service you trusted with your data shared it with third parties without your say-so, anonymized or not. 

On top of that, you could argue that anonymous data isn’t all that anonymous as there are ways to reconstruct somebody’s identity even when names are removed from digital dossiers.

2022: Return of the phishing attack

The most recent Dropbox scandal was in November 2022, when once again a Dropbox employee’s credentials were stolen(nieuw venster) during a phishing attack. 

This time around, the attackers impersonated GitHub, a site where developers store their code. In this case, the thieves made off with emails and passwords belonging to both Dropbox employees as well as customers. It should also be noted that it was GitHub itself which flagged the attack, not Dropbox.

In response, Dropbox stated that at no time were customer files in danger, nor were any of its core modules, the parts that make up Dropbox and therefore could threaten the whole system if exposed. Lucky for them, but it’s cold comfort for anybody whose email was used by cybercriminals.

What can you use instead of Dropbox?

As the above timeline demonstrates, Dropbox could do a lot better than it does — and has done. Though it’s not LastPass levels of bad, it has dropped the ball on more than one occasion. Often the scope and severity of the incidents were not reported by Dropbox, suggesting a lack of awareness or transparency. And more often than not the breaches were caused by poor security practices. 

In particular, Dropbox’s lack of end-to-end encryption is concerning. When a cloud storage service protects your files with end-to-end encryption, it means your data is encrypted on your device before going to the cloud. Any subsequent breach of the cloud servers would not result in any data being exposed. We go in more details of these and more in our article on Dropbox security.

It’s with these flaws of mainstream cloud storage providers in mind that we developed Proton Drive, a secure, end-to-end encrypted alternative that offers top-of-the-line security and a pleasant user experience all in one. Even if we wanted to see your data — and we don’t, because our business model is to protect your privacy — we simply can’t access it anyway.

This promise of privacy has been at the core of Proton since we were founded, and thanks to our supporters, we have been able to do so without needing outside funding. So our only obligation is to you, our community. 

If using a secure and private cloud storage option sounds good to you, join Proton Drive for free and get a taste of what a private web would be like.

Gerelateerde artikelen

The cover image for a Proton Pass blog comparing SAML and OAuth as protocols for business protection
en
SAML and OAuth help your workers access your network securely, but what's the difference? Here's what you need to know.
Proton Lifetime Fundraiser 7th edition
en
Learn how to join our 2024 Lifetime Account Charity Fundraiser, your chance to win our most exclusive plan and fight for a better internet.
The cover image for a Proton Pass blog about zero trust security showing a dial marked 'zero trust' turned all the way to the right
en
Cybersecurity for businesses is harder than ever: find out how zero trust security can prevent data breaches within your business.
How to protect your inbox from an email extractor
en
Learn how an email extractor works, why your email address is valuable, how to protect your inbox, and what to do if your email address is exposed.
How to whitelist an email address and keep important messages in your inbox
en
Find out what email whitelisting is, why it’s useful, how to whitelist email addresses on different platforms, and how Proton Mail can help.
The cover image for Proton blog about cyberthreats businesses will face in 2025, showing a webpage, a mask, and an error message hanging on a fishing hook
en
Thousands of businesses of all sizes were impacted by cybercrime in 2024. Here are the top cybersecurity threats we expect companies to face in 2025—and how Proton Pass can protect your business.