Search the Dropbox Watchdog archive
On 30 September 2021 Dropbox stopped issuing the never-expiring access tokens many integrations relied on, switching to short-lived tokens plus refresh tokens — backups, scripts, and self-hosted tools that hard-coded a static token broke unless rewritten.
Patent-assertion entity Daedalus Blue, holder of former IBM patents, sued Dropbox in August 2024, accusing the Dropbox API, the Magic Pocket storage system, and the Nautilus search engine of infringement; Dropbox's eligibility challenge was granted only in part, leaving the case alive.
State-aligned hacking groups, including North Korea's Kimsuky and ScarCruft, have repeatedly used the Dropbox API as a command-and-control and data-exfiltration channel, exploiting the fact that Dropbox traffic is trusted and rarely blocked.
Dropbox enforces rate limits it does not publish, returning HTTP 429 errors — including a separate too_many_write_operations limit triggered by parallel writes to the same folder — that can throttle backup tools and bulk integrations without warning.
ESET and Avast documented the Worok espionage group's 'DropBoxControl' backdoor, which abused the Dropbox API as its entire command-and-control channel — reading commands from, and uploading stolen data to, ordinary files in a Dropbox account.
Dropbox's API lets connected third-party apps request 'Full Dropbox' access to a user's entire account, and broad OAuth scopes mean an app users link for one task can often read far more than they expect.
Dropbox replaced its coarse legacy access types with granular OAuth scopes, requiring every developer to revisit their app's permissions in the developer console and, in many cases, have existing users re-authorize before new functionality would work.
Dropbox's OAuth model historically let third-party apps request full account access, and tokens persist until revoked — so a single over-permissioned or compromised integration can read, write or delete a user's entire Dropbox without any further prompt.
Dropbox deprecated its original API v1 in 2016 and shut it off on 28 September 2017, forcing every third-party developer to rewrite for the incompatible v2 or watch their Dropbox integration stop working.