Dropbox Has Been Hacked Not Once, Not Twice, But THREE Times

5 min read Contains affiliate links
cloud-storage dropbox hacked
Table of Contents

Dropbox has been hacked not once, not twice, but THREE TIMES. And they still want you to trust them with your files.

Look, I get it. Dropbox is convenient. It’s everywhere. It’s easy. But here’s the thing nobody’s telling you: Dropbox has been breached three separate times, and each time it’s been because of the same stupid shit, employee credentials getting compromised.

Let me walk you through this disaster timeline, because it’s dangerously educational.

2012: The 68 Million User Mega-Breach (That They Hid for 4 Years)

In 2012, Dropbox got hacked. But they didn’t tell anyone the full story until 2016, four years later, when 68 million usernames and passwords showed up online.

How it happened: An employee reused their password from LinkedIn (which had been breached) to access their Dropbox account. That account had a document containing Dropbox user emails and passwords. Classic password reuse mistake.

What was exposed:

  • 68 million email addresses
  • 68 million passwords (most were hashed and salted, but still)

Dropbox’s response: “Oops, we didn’t realize it was this bad until we found the data dump four years later.”

Yeah, that inspires confidence. NOT!

2022: The GitHub Phishing Attack

Fast forward to November 2022. Hackers phished a Dropbox developer and got access to their GitHub account.

How it happened: Social engineering. A developer got phished, handed over their credentials, and boom, hackers accessed 130 private code repositories on GitHub.

What was exposed:

  • Internal source code
  • API keys
  • Developer credentials
  • Potentially customer data (Dropbox was vague about this)

The pattern: Once again, it’s an employee credential compromise. Not some sophisticated zero-day exploit. Just good old-fashioned phishing.

2024: Dropbox Sign Gets Completely Owned

April 2024. This one’s the worst because it affected every single Dropbox Sign user (formerly HelloSign, their e-signature product).

According to Dropbox’s own disclosure, hackers gained access to a “service account” with elevated privileges and accessed the entire customer database.

What was exposed:

  • Emails and usernames of all Dropbox Sign users
  • Phone numbers
  • Hashed passwords
  • API keys
  • OAuth tokens
  • Multi-factor authentication data
  • Even people who just received a document to sign had their names and emails exposed

How it happened: Hackers compromised an automated system configuration tool and a backend service account. That account had elevated privileges, so they could access everything.

Dropbox’s response: Reset everyone’s passwords, logged everyone out, rotated API keys. You know, the stuff you do after you’ve already been owned.

The Pattern: It’s Always Employee Credentials

Notice the theme here?

  • 2012: Employee password reuse
  • 2022: Employee phishing
  • 2024: Compromised service account (still a credential issue)

Now, to be fair to Dropbox: Employee credentials are among the hardest things to secure in cybersecurity.

According to the Verizon 2024 Data Breach Investigations Report, 68% of breaches involve a human element, phishing, stolen credentials, social engineering. Even Google and Microsoft get phished. It’s not a Dropbox problem, it’s an everyone problem.

So why am I still pissed?

Because when you’re holding 700 million users’ files and you’ve been breached three times for the same reason, you need to architect your system so that a single compromised credential can’t access the entire customer database.

The 2024 breach is the perfect example: A compromised service account had “elevated privileges” to access the entire Dropbox Sign customer database. Why does an automated tool need access to everything?

The real issue isn’t that employees get phished. The real issue is that when they do, the blast radius is massive.

Companies with zero-knowledge encryption solve this: Even if hackers access the servers, they can’t read your files because they don’t have your encryption keys. Dropbox doesn’t offer that for regular users.

TL;DR: Yes, credential theft is hard to prevent. But that’s exactly why you should architect your system assuming it will happen. Dropbox hasn’t.

Why This Matters for You

If you’re storing sensitive files on Dropbox, you need to understand something: Dropbox doesn’t offer zero-knowledge encryption. That means Dropbox (and anyone who hacks them) can theoretically access your files.

Dropbox uses AES-256 encryption, but they hold the encryption keys. So when hackers get into their systems, your files are sitting there, ready to be accessed.

Compare that to services like Sync.com or Tresorit, which offer zero-knowledge encryption, meaning even if they get hacked, your files are encrypted with keys only you have.

Why Sync.com and Tresorit are better.

Sync.com is based in Canada, which has stronger privacy laws than the US (no Patriot Act bullshit). They offer zero-knowledge encryption by default on all plans, meaning they literally can’t access your files even if they wanted to. When an employee gets phished at Sync.com, your files stay encrypted. They also offer 5GB free to test it out.

Tresorit is Swiss-based (even better privacy laws) and uses end-to-end encryption for everything. They’re expensive as hell, starting at around $10.42/month, but if you’re storing genuinely sensitive stuff (legal docs, medical records, financial data), it’s worth it. Swiss jurisdiction means they’re not subject to US surveillance laws.

Both of these Dropbox alternatives have been around for years without a major breach. Not because their employees are unhackable, but because their architecture assumes employees will get compromised and builds around that.

Dropbox’s architecture assumes employees won’t get compromised. They’ve been proven wrong three times.

What Dropbox Is Doing About It

After buying Boxcryptor in 2022, Dropbox announced they’d integrate private encryption… but only for Business users first. Personal users? 3 years later, we’re still waiting.

So basically, if you’re paying for Dropbox Business, you might get better security eventually. If you’re a regular user, you’re still vulnerable.

My Take: Three Strikes, You’re Out

Look, I’m not saying Dropbox is evil. I’m saying they’ve proven, three separate times, that they can’t keep employee credentials secure. And when your entire security model depends on keeping those credentials secure, that’s a serious problem.

Options if you want actual security:

  1. Sync.com - Zero-knowledge encryption, based in Canada (better privacy laws than the US)
  2. Tresorit - Swiss-based, zero-knowledge, expensive but solid
  3. ProtonDrive - From the ProtonMail people, zero-knowledge, still growing
  4. Cryptomator - Encrypt your files locally before uploading to Dropbox (if you’re stuck with them)

Or keep using Dropbox. Just know that you’re trusting a company that’s been breached three times, always for the same reason, and still doesn’t offer zero-knowledge encryption to regular users.

Your files, your risk.

The Angry Dev

Do NOT trust review sites. Affiliate commissions dictate their rankings. This is an affiliate site too, but I’m being honest about what I earn and I rank by quality instead of payout. Even if it means I get paid $0. Read about my approach and why I stopped bullshitting. Here’s the raw data so you can fact-check everything.

VPNs | Hosting | Storage | Tools

Related Posts