Proton
Dropbox security issues

A timeline of Dropbox security issues

Dropbox was the first mainstream cloud storage service available and has blazed many trails for the industry. Sadly, it has also made a lot of missteps over the years, the worst of which was the Dropbox breach of 2012, the biggest the industry has seen. We put together this timeline of Dropbox security issues so you can decide for yourself if this is still the provider for you.

If after reading you’re ready to make the jump, check out this quick guide to deleting your Dropbox account. And finally, as you’re considering a Dropbox alternative, we also share information below about Proton Drive, which is a lot more secure.

Dropbox security breaches: a timeline

Dropbox was started in 2008 and from 2011 has experienced some kind of breach almost every year since then, though the pace has slowed down somewhat recently. Still, when deciding which cloud storage service to trust with your files, it’s important to look at their track record.

2011: Dropbox password bug

Dropbox’s first scandal came in June 2011, just three years after it was founded. Thanks to a bug, for a period of about four hours the Dropbox system would accept any password(new window) you gave it, meaning that anybody could gain access to any account as long as they knew the username or email — a good case for using a safe username

That said, it should be noted that actually fixing the issue took the Dropbox team just five minutes once they were notified about it. However, during those four hours every Dropbox account was wide open. It was pure luck that no attackers found out about the vulnerability in that time span.

2012: Dropbox breach, 68 million passwords compromised

In July 2012, Dropbox reported(new window) that some usernames and passwords were stolen from other sites and then used to access Dropbox (a good reason to create strong passwords for each site separately). Dropbox responded by deploying security measures to make unauthorized access harder.

So far, so good, but in 2016 it came out that Dropbox hadn’t told the whole story(new window): Among those hacked in 2012 was a Dropbox employee who had used his company password on LinkedIn, as well. This gave the attackers access to Dropbox’s systems. 

Once the story broke in 2016 — four years after the initial breach — it quickly came out that around 68 million users had been compromised, making it the biggest hack in cloud storage history, and one of the bigger ones in internet history, period. On top of that was the scandal of Dropbox, a huge company, taking four years to acknowledge the full scale of the damage done. 

2013: PRISM allegations

When in 2013 Edward Snowden revealed to The Guardian newspaper that the United States government was spying on people all over the world through the PRISM program, one of the names(new window) that came up was Dropbox. According to Snowden, the company was eager to work with the US authorities, calling it a “wannabe PRISM partner(new window)”.

It’s unclear whether Dropbox ever joined the PRISM project — the company has always denied doing so — but it should probably give people pause that any cloud storage service would be described as being enthusiastic to join a massive surveillance conspiracy. 

2017: Resurrected data

In January 2017, some Dropbox users encountered something very odd: Files they had deleted, in some cases years ago, suddenly reappeared in their Dropbox accounts. After some research, Dropbox found a bug(new window) had crept into the code that prevented files and folders from being permanently deleted.

Though it may seem harmless at first, we often delete files for a reason and the fact that possible sensitive data may have kept living a ghost-like existence even after being destroyed is a very serious issue. Again, not something you’d expect from a company like Dropbox.

2018: Data shared without consent

In July 2018, an interesting Harvard study(new window) was published in which the collaborative efforts of thousands of people were used as data points to determine how teams can work together. Riveting stuff that came up with some very original findings. The data used, though, was data from Dropbox, and the people involved were never asked(new window) if it could be used this way.

Though the data used was anonymized before being sent to the researchers (something that wasn’t made clear in the first version of the article), it should still make you uncomfortable that a service you trusted with your data shared it with third parties without your say-so, anonymized or not. 

On top of that, you could argue that anonymous data isn’t all that anonymous as there are ways to reconstruct somebody’s identity even when names are removed from digital dossiers.

2022: Return of the phishing attack

The most recent Dropbox scandal was in November 2022, when once again a Dropbox employee’s credentials were stolen(new window) during a phishing attack. 

This time around, the attackers impersonated GitHub, a site where developers store their code. In this case, the thieves made off with emails and passwords belonging to both Dropbox employees as well as customers. It should also be noted that it was GitHub itself which flagged the attack, not Dropbox.

In response, Dropbox stated that at no time were customer files in danger, nor were any of its core modules, the parts that make up Dropbox and therefore could threaten the whole system if exposed. Lucky for them, but it’s cold comfort for anybody whose email was used by cybercriminals.

What can you use instead of Dropbox?

As the above timeline demonstrates, Dropbox could do a lot better than it does — and has done. Though it’s not LastPass levels of bad, it has dropped the ball on more than one occasion. Often the scope and severity of the incidents were not reported by Dropbox, suggesting a lack of awareness or transparency. And more often than not the breaches were caused by poor security practices. 

In particular, Dropbox’s lack of end-to-end encryption is concerning. When a cloud storage service protects your files with end-to-end encryption, it means your data is encrypted on your device before going to the cloud. Any subsequent breach of the cloud servers would not result in any data being exposed. We go in more details of these and more in our article on Dropbox security.

It’s with these flaws of mainstream cloud storage providers in mind that we developed Proton Drive, a secure, end-to-end encrypted alternative that offers top-of-the-line security and a pleasant user experience all in one. Even if we wanted to see your data — and we don’t, because our business model is to protect your privacy — we simply can’t access it anyway.

This promise of privacy has been at the core of Proton since we were founded, and thanks to our supporters, we have been able to do so without needing outside funding. So our only obligation is to you, our community. 

If using a secure and private cloud storage option sounds good to you, join Proton Drive for free and get a taste of what a private web would be like.

Related articles

A cover image for a blog describing the next six months of Proton Pass development which shows a laptop screen with a Gantt chart
en
Take a look at the upcoming features and improvements coming to Proton Pass over the next several months.
The Danish mermaid and the Dutch parliament building behind a politician and an unlocked phone
en
We searched the dark web for Danish, Dutch, and Luxembourgish politicians’ official email addresses. In Denmark, over 40% had been exposed.
Infostealers: What they are, how they work, and how to protect yourself
en
Discover insights about what infostealers are, where your stolen information goes, and ways to protect yourself.
Mockup of the Proton Pass app and text that reads "Pass Lifetime: Pay once, access forever"
en
Learn more about our exclusive Pass + SimpleLogin Lifetime offer. Pay once and enjoy premium password manager features for life.
A cover image for a blog announcing that Pass Plus will now include premium SimpleLogin features
en
We're changing the price of new Pass Plus subscriptions, which now includes access to SimpleLogin premium features.
Infinity symbol in purple with the words "Call for submissions" and "Proton Lifetime Fundraiser 7th Edition"
en
It’s time to choose the organizations we should support for the 2024 edition of our annual charity fundraiser.