Search the Dropbox Watchdog archive
7 documented issues in 2012, concentrated in privacy & encryption concerns. The most serious was The 2012 breach: 68 million user credentials stolen via a reused password.
An attacker used a Dropbox employee's reused password to steal a file containing roughly 68 million users' email addresses and hashed passwords — a theft whose full scale only became public in 2016.
Dropbox has published a biannual Transparency Report since 2012, and its own figures document a steady, long-run climb in government and law-enforcement demands for user data — including reporting periods where US legal-process requests jumped by roughly a third.
Dropbox encrypts files at rest, but the encryption keys belong to Dropbox, not the user. This server-side model — chosen to enable deduplication, previews, and search — means the company can read user files, the root cause critics return to again and again.
The referral program that powered Dropbox's early viral growth — once worth substantial free storage — was steadily devalued, and some long-time users reported referral-earned space being clawed back to the bare 2GB minimum.
Dropbox's transparency reporting centers on US legal process, but as a global service it also faces foreign-government and cross-border demands — an area where its disclosures are thinner and the CLOUD Act blurs jurisdictional lines.
Because Dropbox holds the keys to decrypt users' files, a valid legal order doesn't just get a government encrypted data it can't read — it gets readable file content. The design choice is what makes lawful compulsion effective.
Dropbox has kept its free Basic plan at just 2GB since its early days, even as Google Drive offered 15GB, OneDrive 5GB, and rivals like Mega offered 20GB — leaving Dropbox with the stingiest free allowance among the major cloud providers.