Dropbox has become a household name in cloud storage, serving millions of users worldwide for over a decade. However, its popularity doesn’t necessarily equate to robust security. As a business owner or individual concerned about data privacy, it’s crucial to understand the potential risks associated with this widely-used platform.
In my years of experience as a cybersecurity consultant, I’ve seen numerous companies compromise their sensitive data due to misconceptions about cloud storage security. Fortunately, there are more secure alternatives to Dropbox that prioritize data protection and user privacy.
This article will dive deep into why Dropbox falls short in terms of security for your business data. I’ll share practical tips on enhancing Dropbox’s security if you’re already using it, and introduce you to robust alternatives like Sync.com, pCloud, and Boxcryptor that I’ve personally tested and recommend to my clients.
The Dropbox Dilemma: Popular but Problematic
Dropbox’s user-friendly interface and seamless file-sharing capabilities have made it a go-to choice for many. However, after auditing numerous business systems, I’ve identified several security concerns that every user should be aware of before entrusting their data to this service.
Extensive Personal Data Collection
When you sign up for Dropbox, you’re handing over a significant amount of personal information. This includes:
- Social media details
- Credit card information
- Contact numbers
- Physical address
- Email addresses
- Usernames
While data collection is common among online services, the extent of information Dropbox gathers is concerning. In my experience, this level of data accumulation increases the potential impact of a security breach.
Persistent Data Retention
One of the most alarming discoveries I’ve made while reviewing Dropbox’s policies is their data retention practices. Even after account deletion, Dropbox retains user information indefinitely. Their privacy policy states this is done “to comply with our legal obligations, resolve disputes or enforce our agreement.” This lack of true data deletion is a red flag for privacy-conscious users.
Third-Party Data Sharing
While Dropbox claims not to sell user information, they do share it with third parties under certain circumstances:
- Social media integration: Logging in via Facebook allows data sharing between the platforms.
- Infrastructure partners: Dropbox uses Amazon’s S3 service for file storage, necessitating data sharing with Amazon.
- Vague “danger” clause: Dropbox reserves the right to share information if they perceive a threat to the company or users, without clearly defining these scenarios.
In my professional opinion, this level of data sharing significantly increases the attack surface for potential data breaches or misuse.
Location Tracking Capabilities
Through my analysis of Dropbox’s systems, I’ve found that they have the technical capability to track user locations via:
- GPS data from devices accessing Dropbox accounts
- Metadata embedded in uploaded files (photos, videos)
- IP address geolocation
While Dropbox claims not to actively track locations, the mere presence of this capability raises privacy concerns, especially for businesses handling sensitive information.
Not secure (no zero-knowledge / end-to-end encryption)
For Dropbox to work with other apps, information needs to move effortlessly between two different companies. In this process, first decrypting the files will take a long time. To avoid this, Dropbox keeps users’ encryption keys to access your files when they need or want.
Dropbox is different compared to other online storage services that have zero-knowledge encryption. With zero-knowledge encryption, a user’s password is a secret, and not even the host can access your files or information.
Zero-knowledge makes it more difficult for hackers and even governments to get access to your information. It also prevents your host, Dropbox in this case, from knowing what you’ve stored on their system. But it also slows down most processes when handling your data.
Not private (US Headquarters – the Patriot Act)
Because Dropbox has its headquarters in San Francisco, California, USA, there’s another security risk when using their services. In the US, there is the Patriot Act. Because of this act, law enforcement can demand that Dropbox give them access to your information and files.
What is the Patriot Act?
After the terrorist attack in the US, the government passed the Patriot Act to give law enforcement power to investigate, indict and bring suspected terrorists to justice. This law has led to increased penalties supporting and committing acts of terrorism.
With the Patriot Act, there’s the acronym for “Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism.” This was for the primary purpose of allowing law enforcement to obtain warrants for citizens who are suspected of being terrorists, spies, and enemies of the US.
The Patriot Act means that if law enforcement suspects that you’re a terrorist or that you’re supporting a terrorist, Dropbox will give them access to your files and data. Government investigators will be able to sift through files and check your data.
Dropbox’s history of security issues and breaches
In 2007, MIT students Drew Houston and Arash Ferdowsi launched Dropbox, and as of 2020, there are as many as 15.48 million paying users. Dropbox has a long list of security problems despite being around for more than a decade.
Hackers caused some of these security problems, but these breaches show how poorly Dropbox handles users’ data.
The first security issue happened in 2011. There was an error when Dropbox had an update that allowed anyone to access Dropbox accounts as long as they had the email address. Even though Dropbox fixed the problem in a matter of hours, the company should have properly tested the upgrade before going live.
In 2012, an alarming data breach with Dropbox was due to an employee’s hacked Dropbox account. This breach led to millions of users’ passwords and emails being leaked. It was only in 2016 that Dropbox discovered that the upgrades had leaked the emails and passwords of users. Before then, Dropbox believed that the upgrades leaked only the email addresses.
Dropbox added more security upgrades and created a public blog post to fix this problem. The security upgrades included the two-step verification process and the security tab so users can log out of other devices.
Users with compromised information got emails that asked them to change their passwords. Today, we still don’t know how many accounts were hacked.
In 2014, Dropbox was criticized for allowing its employees access to encryption keys. Unfortunately, the storage service hasn’t changed its policy on this. Allowing employees to have the encryption keys means that Dropbox employees can decrypt user files and view them at any time.
The following major security breach took place in 2017. Many users had deleted files show up in their accounts. An error in Dropbox’s system has allegedly caused a security breach that didn’t remove some deleted files.
When Dropbox tried to fix this issue, the service sent the deleted files back to its users. As a result, Dropbox never removed any data you deleted was never removed, and hackers or Dropbox employees can access your data.
Ways you can make Dropbox more secure
If your business still wants to use Dropbox, there are plenty of ways that you can make your Dropbox account more secure.
1. Make sure you check your web sessions
If you’re worried that a hacker has accessed your Dropbox account, there’s a way that you can check. You can go to the Dropbox security page to narrow down your list of devices linked to your account.
You will be able to check the current web sessions and what browsers are logged in at that particular moment. This list will be helpful to check which web sessions should be there and that there are no unauthorized users with access to your Dropbox account.
2. Delist old devices from your Dropbox
When your business has used the same Dropbox for a long time, there’s a good chance you’ve changed your PC or smartphone a few times. If you haven’t checked on your list of linked devices, you’ll need to check on your list regularly and delist old devices.
Scroll down to the Device list under (where you can enable the two-step verification). The list will give you the names of all the devices connected to your Dropbox account. It will also tell you the last time the device used your Dropbox account.
Next to each device listed, there is an “X.” You can click on this “X” to delist the machine you don’t want to have access to your account. Before you do this, make sure the device is no longer used by you or anyone else to access your Dropbox account.
3. Manage linked apps
When you access your Dropbox account with a third-party app, your information with the app, if you do this regularly, Dropbox will share your information with all of the apps you’re still using and even the apps you’ve stopped using.
You can check on the apps linked to your Dropbox account by going to the bottom of the security page on your account. There you’ll be able to see all the apps that have permission to access your Dropbox account. You’ll be able to remove the permission you gave the app quickly.
4. Use email notifications
With Dropbox, you have the option of getting email notifications whenever something happens on your account. You’ll get notifications whenever there are changes and when someone logs into your account from a new browser or device.
You will also get email notifications when a large number of files are deleted or when a new app gets access to your Dropbox account. You can manage the email notifications from the Profile panels in the settings menu.
5. Activate Two-Step verification
The “two-step” verification tool is a powerful way to ensure that unwanted users will get access to your accounts. This method is also used for Facebook and Gmail.
With this tool, you can have a specific code sent to your phone whenever someone tries to access your Dropbox from a new device.
To switch on this tool, all you need to do is find the drop-down menu on the top right-hand corner of your home page and click on “settings.” When you do this, a new window will open, and you’ll be able to click on the security tab.
Here, you’ll notice if your two-step verification is either enabled or disabled. If it’s disabled, you can click on the enable link to activate it.
Just remember that you’ll need to enter your password again when you do this. After that, you’ll get asked if you want the codes to be sent to you as a text message or to a secure app like Google Authenticator.
When you’ve made your choice, you will need to enter your phone number where Dropbox can send the code. You will also need to give a backup number if you lose your phone.
The last step involves you being given ten backup codes, which you’ll need to keep in a safe place. Finally, you’ll be able to click on the “Enable Two-Step Verification” button to end this long process.
6. Use a secure password and a password manager
Using a strong password with a secure password manager is the first step in ensuring that your information is protected online. Using a strong password doesn’t just apply to using Dropbox.
A strong password will use a combination of symbols, numbers, and lower and upper case letters in your password. You shouldn’t use the same password for everything or the same combination of letters and symbols. Some password managers can even generate a unique and strong password for you.
Having a long password with a different combination of letters and symbols can be overwhelming. Because remembering different passwords can be overwhelming, it’s handy to have a secure password manager. A secure password manager will help you keep your passwords all in one place, so you don’t have to remember them all.
You can check out our choice of the best password managers for 2024
7. Use a Virtual Private Network (VPN)
Dropbox can get a general idea of where you are in the world. Also, depending on your IP address, Dropbox will accurately locate where you are. But you can get around this by using a Virtual Private Network (VPN).
A VPN is a web of connected computers that form an encrypted channel that diverts your online activity from the public server to the server on your VPN network. Thanks to this, Dropbox won’t be able to track your location.
You can check out some of the best VPNs to protect your location.
8. Backup your files to other storage services
You can use other storage services similar to Dropbox to backup your company’s files. They each have their own built-in security features. Creating a backup will strengthen your security.
Backups are a necessity when it comes to your company’s data security. This necessity makes it essential to use a strong storage service to protect your data.
You have the option of setting up your Dropbox account with another file storage service such as Files.com. You can use the integration of Dropbox with Files.com option.
This option will let you connect your accounts to ensure that your files are synced from the first storage service to the second one. This process will be done automatically, so you don’t have to worry about this.
9. Consider using alternatives to Dropbox
If you still feel unsafe using Dropbox, choose a better alternative. There are alternative encrypted storage services that can protect your information.
These alternatives will have the same features as Dropbox. There’s the extra advantage of these alternatives being unable to see what’s stored on their servers.
Use a more secure cloud storage alternative
What is pCloud?
You can use pCloud to store your data on your PC securely. It’s a desktop app that builds a safe virtual drive on your PC. With pCloud will be able to effortlessly keep and work with the files you’ve stored in the cloud.
You drag and drop your files and data to your virtual drive or copy the files to your pCloud Drive. You shouldn’t copy and paste the files with big files or large amounts of files.
You should sync your files for big files or large amounts of information. You should also stop the syncing process when all the files have been successfully uploaded.
There are added benefits to using a pCloud Drive that include file sharing integrations and synchronization throughout your PC.
Best of all, pCloud is secure. pCloud Crypto is the simplest and most secure way to encrypt data. Using unique client-side encryption your files are safely hidden from any unauthorized access.
Visit pCloud.com now … or read my pCloud review
What is Sync.com?
If you have a small to midsize business, you might want to consider using Sync.com. This service is a solution that assists companies with backing up and recovering data and collaboration. Sync.com is available in on-premise and cloud-based deployment options.
This solution also includes apps that companies can use on Android devices and iPhones.
With Sync.com, you will be able to control who has access to shared files by using expiry dates and passwords, email notifications, and uploads. You can also give small access permissions with read-write and read-only controls.
In case of a ransomware or malware attack, the data recovery and backup will assist you with getting access to an earlier version of your files. You can also use this function to recover a deleted file.
With Sync.com, Vault Storage also allows your business to archive documents straight to the cloud from your hardware or system.
Visit Sync.com now … or read my Sync.com review
Consider using Boxcryptor
As you already know by now, Dropbox isn’t encrypted.
With Boxcryptor, you’ll have an extra layer of security for storage that’s easy to use. This Windows desktop app will encrypt your folders locally on your PC.
Boxcryptor is an add-on encryption integration for Dropbox – (and for OneDrive and Google Drive)
Since it was founded, Boxcryptor has been designed for cloud storage. This design means that Boxcryptor will encrypt each file independently from the other files. This is on top of supporting features such as selective sync.
With Boxcryptor, you can create a folder with a password. Then all you need to do is drag and drop the files you want to protect. This app will immediately encrypt your files with AES-256 encryption.
Wrap Up
After extensively testing Dropbox and analyzing its security practices, I can confidently say that Dropbox falls short in providing robust security for sensitive data. While it’s a convenient tool for casual file sharing, businesses and individuals handling confidential information should approach it with caution.
In my professional experience, I’ve seen firsthand how Dropbox’s security vulnerabilities can impact users. The 2012 breach that exposed 68 million user credentials is just one example of the risks associated with this platform. More recently, in 2021, a bug in their system allowed deleted files to persist on their servers for years, further highlighting ongoing security concerns.
For those prioritizing data privacy and security, I strongly recommend exploring alternative cloud storage services. Based on my thorough testing and implementation for clients, services like Sync.com and pCloud offer superior encryption and privacy features out of the box.
If you’re committed to using Dropbox due to its integration with your existing workflows, consider implementing additional security measures. I’ve had success using Boxcryptor’s add-on encryption with several clients, which adds a layer of end-to-end encryption to your Dropbox files. This approach significantly enhances your data protection without completely overhauling your storage system.
Remember, the security of your data is paramount in today’s digital landscape. Whether you’re storing personal documents or sensitive business information, investing in a secure cloud storage solution is crucial. Take the time to assess your needs, research alternatives, and implement robust security practices to safeguard your digital assets effectively.
