Security Incidents & Data Breaches

After Dropbox disclosed the April 2024 Dropbox Sign breach, affected users filed proposed class actions in federal court alleging Dropbox negligently failed to protect their data and did not give prompt, adequate notice; the claims are allegations and the consolidated litigation followed in the Northern District of California.

An attacker compromised the production environment of Dropbox Sign (formerly HelloSign), exposing customer emails, usernames, phone numbers, hashed passwords, and authentication secrets including API keys, OAuth tokens, and MFA data.

Following the 2024 Dropbox Sign breach, affected users filed proposed class-action lawsuits accusing Dropbox of failing to secure their data and of notifying victims too slowly. Dropbox has contested the claims, arguing the exposed data poses no identity-theft risk.

A phishing campaign impersonating the CI provider CircleCI tricked Dropbox employees into handing over credentials and 2FA codes, letting attackers copy 130 of Dropbox's private source-code repositories.

Researchers revealed that Dropbox's Mac client used a user's admin password to directly edit macOS's protected TCC.db permissions database, inserting itself into the Accessibility list — a privacy/trust list that grants near-total control over the machine — without a clear, informed prompt.

Hackers claimed to have stolen nearly 7 million Dropbox logins, posted batches on Pastebin, and demanded Bitcoin — but the credentials came from other breached services, not Dropbox itself.

Researchers found that Dropbox's shared links to supposedly private documents could leak to third parties — exposed through browser referer headers and, in some cases, surfacing in Google search results — revealing tax returns, bank records, and business plans.

On 10–11 January 2014 Dropbox went dark for roughly two hours after an internal maintenance error, while a group calling itself 1775 Sec falsely claimed to have breached it — a hoax that briefly stoked panic about user data.

At Black Hat Europe 2013, a researcher demonstrated 'DropSmack,' a technique that abused Dropbox sync to slip malware past corporate firewalls and quietly exfiltrate company files.

An attacker used a Dropbox employee's reused password to steal a file containing roughly 68 million users' email addresses and hashed passwords — a theft whose full scale only became public in 2016.

Security researcher Christopher Soghoian filed a complaint with the U.S. Federal Trade Commission alleging that Dropbox made deceptive claims about its encryption, because Dropbox employees could in fact access users' files.

For nearly four hours on 19 June 2011, a code update left Dropbox accounts accessible with any password at all — anyone could sign in to any account by typing anything.