Privacy & Encryption Concerns Reliability & Data Loss

The 2017 'zombie files' bug: deleted files reappeared years later

January 2017

In January 2017 files and folders that users had deleted — in some cases as far back as 2009 — suddenly reappeared in their accounts, revealing that 'deleted' data had been retained on Dropbox's servers far longer than its own policy promised.

What happened

In January 2017 a wave of Dropbox users reported that files and folders they had deleted long ago had silently returned to their accounts. The reappearances were not a matter of months: users described folders deleted as far back as 2009 popping back into existence, with timestamps that made clear they had been gone for years.

A Dropbox staffer on the company's support forum explained that a bug had prevented some files from being fully deleted from Dropbox's servers; those files sat in a kind of limbo instead of being purged. While engineers fixed the underlying bug, they 'inadvertently restored the impacted files and folders to those users' accounts.' Dropbox stressed that no third party was involved and that users had not been hacked.

The episode collided directly with Dropbox's stated privacy practice of permanently erasing deleted content after a set retention window (its policy described purging data roughly 60 days after deletion). If files deleted in 2009 could be restored in 2017, that data had clearly persisted for years beyond the promised window — and Dropbox offered no public explanation for why the bug had gone undetected for so long.

Impact

For a storage service, 'delete' is supposed to mean delete. The bug undermined that guarantee in two directions at once: it showed that data users believed was permanently gone had been quietly retained for years, and it forcibly resurrected potentially sensitive, private, or simply unwanted files into accounts and onto synced devices without consent. For anyone who had deleted financial records, personal photos, or confidential documents specifically to be rid of them, the resurrection was a privacy breach of trust — and a reminder that on a server-side service, users do not actually control the lifecycle of their own data.

Dropbox's Response / Official Position

Dropbox responded on its support forum, attributing the reappearances to a bug that had stopped some files from deleting fully, and acknowledging that its own fix had mistakenly restored the affected content. It said it built a corrective fix that would automatically re-delete the inadvertently restored files and folders (only those that had not since been modified) and rolled it out to affected accounts. It emphasized the incident was its own mistake and not the result of any external compromise.

Sources

01
CIO Dive — 'Dropbox bug brings deleted files back to life'
News2017
02
Dropbox Community — 'deleted folder re-appeared after a couple of years'
Official / Dropbox2017
03
BadCyber — 'Dropbox surprise – deleted files magically reappear after several years'
News2017

Spot an error, or have a source to add?

Report an error / suggest update

Related issues

2024–2026 (ongoing)3 sources

Betting the company on Dash: the uncertain future of the core sync product

Dropbox has reorganized around Dash, an AI-powered search assistant, repeatedly describing its core file-sync product as 'mature' — leaving longtime users uncertain how much future investment the service they actually pay for will receive.

Reliability & Data LossProduct Changes & User BacklashCurrent / Ongoing Issues (2024–2026)

Read documentation

December 20233 sources

The 2023 OpenAI toggle backlash: an AI data-sharing setting on by default

Users discovered a 'third-party AI' setting that was switched on by default for most of the world, fueling fears that Dropbox was quietly feeding personal files to OpenAI. Dropbox said no data was passively sent and that files were not used to train models.

Privacy & Encryption ConcernsProduct Changes & User BacklashCurrent / Ongoing Issues (2024–2026)

Read documentation

2020 onward3 sources

EU data-transfer scrutiny: the collapse of Privacy Shield and Dropbox's exposure

When the EU's top court struck down the EU–US Privacy Shield in 2020, Dropbox — which had self-certified under the framework — was among the US cloud services left exposed to European data-protection regulators questioning whether personal data could lawfully be transferred to the United States.

Privacy & Encryption ConcernsLegal Actions & LawsuitsCurrent / Ongoing Issues (2024–2026)

Read documentation

Ongoing3 sources

The resource-hungry desktop client: high CPU, disk, and battery drain

Long-running, widely reported complaints describe the Dropbox desktop client consuming excessive CPU, disk, memory, and battery — sometimes pinning processors above 100% and draining laptop batteries even when nothing is actively syncing.

Reliability & Data LossProduct Changes & User Backlash

Read documentation