Search the Dropbox Watchdog archive
28 documented issues in 2015, concentrated in privacy & encryption concerns. The most serious was The 2012 breach: 68 million user credentials stolen via a reused password.
An attacker used a Dropbox employee's reused password to steal a file containing roughly 68 million users' email addresses and hashed passwords — a theft whose full scale only became public in 2016.
At Black Hat USA 2015, Imperva researchers showed that stealing a single synchronization token let an attacker take over a Dropbox account and read its files indefinitely — and that, in Dropbox's case, changing the password did not revoke the stolen token.
Dropbox has published a biannual Transparency Report since 2012, and its own figures document a steady, long-run climb in government and law-enforcement demands for user data — including reporting periods where US legal-process requests jumped by roughly a third.
Dropbox encrypts files at rest, but the encryption keys belong to Dropbox, not the user. This server-side model — chosen to enable deduplication, previews, and search — means the company can read user files, the root cause critics return to again and again.
Dropbox's Terms of Service require binding individual arbitration and waive your right to join a class action — so even after a breach or billing dispute, most users cannot sue Dropbox or band together in court.
Many third-party integrations request broad, full-Dropbox access rather than scoped, folder-limited permissions — so a single connected app, if compromised, can expose everything in an account.
The DropSmack proof-of-concept warned that synced Dropbox folders could be a covert C2 and exfiltration channel; multiple real malware families — including BoxCaon, Crutch and tooling used by Kimsuky — went on to abuse Dropbox folders and the Dropbox API exactly that way.
Dropbox's OAuth model historically let third-party apps request full account access, and tokens persist until revoked — so a single over-permissioned or compromised integration can read, write or delete a user's entire Dropbox without any further prompt.
The referral program that powered Dropbox's early viral growth — once worth substantial free storage — was steadily devalued, and some long-time users reported referral-earned space being clawed back to the bare 2GB minimum.
Dropbox's transparency reporting centers on US legal process, but as a global service it also faces foreign-government and cross-border demands — an area where its disclosures are thinner and the CLOUD Act blurs jurisdictional lines.
Because Dropbox holds the keys to decrypt users' files, a valid legal order doesn't just get a government encrypted data it can't read — it gets readable file content. The design choice is what makes lawful compulsion effective.
Dropbox's move from the v1 Core API to API v2 was not a drop-in upgrade: error handling, authentication, permissions, and request formats all changed, forcing developers to rewrite integrations before v1 was switched off in 2017.
A persistent class of complaints describes Dropbox files that sit indefinitely in a 'syncing' state and never finish, leaving users unsure whether their data was actually uploaded — in some reported cases for months, with support unable to resolve it.
In April 2015 Dropbox announced it would retire the Sync API and the Datastore API, giving developers about a year to rewrite onto the Core API — apps that did not migrate stopped working when the Datastore API was shut down on 29 April 2016.
Dropbox runs every uploaded image and video through hash-matching systems such as Microsoft's PhotoDNA to detect known child sexual abuse material — automated scanning of users' private files that the company initially refused to explain.
Thru Inc. claimed it had used the term 'Dropbox' since 2004 and threatened the company's trademark; Dropbox sued first for declaratory relief, won summary judgment, and the Ninth Circuit affirmed — with a roughly $2.3 million attorneys'-fee award against Thru.
On 30 August 2015 Dropbox suffered a worldwide outage that locked users out of their files; the company blamed an issue that arose during routine internal maintenance.
Dropbox paused all development and then killed Mailbox, the gesture-driven email app it had acquired in 2013 to enormous fanfare, telling devoted users to find a new client by 26 February 2016.
When Dropbox cannot reconcile two versions of a file, it preserves both — saving the loser as a duplicate stamped 'conflicted copy' — a data-safety mechanism that in practice creates lasting duplication and version confusion that users cannot turn off.
Because Dropbox mirrors a permissive server namespace onto stricter local filesystems, files with disallowed characters, over-long paths, or trailing periods can fail to sync or be silently renamed — sometimes without any clear warning to the user.
China's Great Firewall has blocked Dropbox since 2014 — at one point cutting users off from their own files overnight without warning — leaving the service reachable in the country only via VPNs that are themselves restricted.
Dropbox has kept its free Basic plan at just 2GB since its early days, even as Google Drive offered 15GB, OneDrive 5GB, and rivals like Mega offered 20GB — leaving Dropbox with the stingiest free allowance among the major cloud providers.
Dropbox's 'Drop-ins' — the Chooser and Saver widgets that let any app use Dropbox as an open/save dialog — launched in 2013 with fanfare, but the iOS and Android Choosers were later deprecated and the program stagnated as Dropbox steered its platform away from third-party developers toward its own collaboration features.
Dropbox launched Carousel as a dedicated photo-and-video gallery app in 2014, then announced its closure barely 18 months later, shutting it down on 31 March 2016.
To comply with US trade sanctions and embargoes, Dropbox does not provide service in regions such as Crimea, North Korea, and Syria — meaning users there can be cut off from their existing files by their provider's home-country law.
During the August 2015 global outage, Dropbox's status page reported service restored while many users were still locked out — a documented gap between the company's stated status and the actual experience of its users.
Names that are distinct on Dropbox's case-sensitive, Unicode-tolerant servers but identical on Windows or macOS collide on sync, and Dropbox resolves the clash by silently appending '(Case Conflict)' or '(Unicode Encoding Conflict)' to one of the files.
Years before the California district attorneys' 2018 settlement, a private plaintiff brought a class action alleging Dropbox enrolled users in automatic subscription renewals without proper consent under California's Automatic Renewal Law; the case was removed to federal court and ended in a stipulated dismissal.