Criticism of Dropbox
- 1 April 2011 user authentication file information
- 2 May 2011 data deduplication and employee access
- 3 June 2011 account access without password
- 5 July 2012 email spam and February 2013 reoccurrence
- 6 June 2013 PRISM program
- 7 January 2014 outage
- 8 April 2014 Condoleezza Rice appointment to board of directors
- 9 May 2014 disabled shared links
- 10 July 2014 Snowden comment
- 11 October 2014 account compromise hoax
- 12 August 2016 password leak
- 13 January 2017 accidental data restoration
- 14 References
April 2011 user authentication file information
May 2011 data deduplication and employee access
In May 2011, a complaint was filed with the U.S. Federal Trade Commission alleging Dropbox misled users about the privacy and security of their files. At the heart of the complaint was the policy of data deduplication, where the system checks if a file has been uploaded before by any other user, and links to the existing copy if so; and the policy of using a single AES-256 key for every file on the system so Dropbox can (and does, for deduplication) look at encrypted files stored on the system, with the consequence that any intruder who gets the key (as well as potential Dropbox employees) could decrypt any file if they had access to Dropbox's backend storage infrastructure. In a response on its blog, Dropbox wrote that "Like most major online services, we have a small number of employees who must be able to access user data when legally required to do so. But that's the exception, not the rule. We have strict policy and technical access controls that prohibit employee access except in these rare circumstances. In addition, we employ a number of physical and electronic security measures to protect user information from unauthorized access." In response to the FTC complaint, Dropbox spokeswoman Julie Supan told InformationWeek that "We believe this complaint is without merit, and raises issues that were addressed in our blog post on April 21."
June 2011 account access without password
On June 20, 2011, TechCrunch reported that all Dropbox accounts could be accessed without password for four hours. In a blog post, co-founder Arash Ferdowsi wrote that "Yesterday we made a code update at 1:54pm Pacific time that introduced a bug affecting our authentication mechanism. We discovered this at 5:41pm and a fix was live at 5:46pm. A very small number of users (much less than 1 percent) logged in during that period, some of whom could have logged into an account without the correct password. As a precaution, we ended all logged in sessions." He wrote that a "thorough investigation" was being conducted, and that "This should never have happened. We are scrutinizing our controls and we will be implementing additional safeguards to prevent this from happening again." Julianne Pepitone, writing for CNNMoney, wrote that "It's the security nightmare scenario: A website stuffed with sensitive documents leaves all of its customer data unprotected and exposed", and featured a comment from Dave Aitel, president and CEO of security firm Immunity Inc., saying "Any trust in the cloud is too much trust in the cloud -- it's as simple as that. [...] It's pretty much the standard among security professionals that you should put on the cloud only what you would be willing to give away."
July 2012 email spam and February 2013 reoccurrence
In July 2012, Dropbox hired "outside experts" to figure out why some users were receiving e-mail spam from Dropbox. In a post on its blog, Dropbox employee Aditya Agarwal wrote that "usernames and passwords recently stolen from other websites were used to sign in to a small number of Dropbox accounts. We've contacted these users and have helped them protect their accounts." However, Agarwal also noted that "A stolen password was also used to access an employee Dropbox account containing a project document with user email addresses. We believe this improper access is what led to the spam. We're sorry about this, and have put additional controls in place to help make sure it doesn't happen again." One of the additional controls implemented was the introduction of two-factor authentication. In February 2013, users reported additional spam, with the company stating that "At this time, we have not seen anything to suggest this is a new issue", and blamed the earlier e-mail spam issue from the past July.
June 2013 PRISM program
In June 2013, The Guardian and The Washington Post publicized confidential documents suggesting Dropbox was being considered for inclusion in the National Security Agency's classified PRISM program of Internet surveillance.
January 2014 outage
On January 11, 2014, Dropbox experienced an outage. A hacker group called The 1775 Sec posted on Twitter that it had compromised Dropbox's site "in honor of Internet activist and computer programmer Aaron Swartz, who committed suicide a year ago". However, Dropbox itself posted on Twitter that "Dropbox site is back up! Claims of leaked user info are a hoax. The outage was caused during internal maintenance. Thanks for your patience!" In a blog post detailing the issue, Dropbox's Akhil Gupta wrote that "On Friday at 5:30 PM PT, we had a planned maintenance scheduled to upgrade the OS on some of our machines. During this process, the upgrade script checks to make sure there is no active data on the machine before installing the new OS. A subtle bug in the script caused the command to reinstall a small number of active machines. Unfortunately, some master-replica pairs were impacted which resulted in the site going down." Gupta also noted that "Your files were never at risk during the outage".
April 2014 Condoleezza Rice appointment to board of directors
In April 2014, Dropbox announced that Condoleezza Rice would be joining their board of directors, prompting criticism from some users who were concerned about her appointment due to her history as United States Secretary of State and revelations of "widespread wiretapping on US citizens during her time in office". RiceHadleyGates, a consultancy firm consisting of Rice, former US national security adviser Stephen Hadley, and former US Secretary of Defense Robert Gates, had previously advised Dropbox.
In May 2014, Dropbox temporarily disabled shared links. In a blog post, the company detailed a web vulnerability scenario where sharing documents containing hyperlinks would cause the original shared Dropbox link to become accessible to the website owner if a user clicked on the hyperlink found in the document. Some types of shared links remained disabled over the next few weeks until Dropbox eventually made changes to the functionality.
July 2014 Snowden comment
October 2014 account compromise hoax
In October 2014, an anonymous user on Pastebin claimed to have compromised "almost seven million" Dropbox usernames and passwords, gradually posting the info. However, in a blog post, Dropbox stated "Recent news articles claiming that Dropbox was hacked aren't true. Your stuff is safe. The usernames and passwords referenced in these articles were stolen from unrelated services, not Dropbox. [...] A subsequent list of usernames and passwords has been posted online. We've checked and these are not associated with Dropbox accounts."
August 2016 password leak
In August 2016, email addresses and passwords for 68 million Dropbox accounts were published online, with the information originating from the 2012 email spam issue. Independent security researcher Troy Hunt checked the database against his data leak website, and verified the data by discovering that both the accounts belonging to him and his wife had been disclosed. Hunt commented that "There is no doubt whatsoever that the data breach contains legitimate Dropbox passwords, you simply can't fabricate this sort of thing". In a blog post, Dropbox stated: "The list of email addresses with hashed and salted passwords is real, however we have no indication that Dropbox user accounts have been improperly accessed. We're very sorry this happened and would like to clear up what's going on." The company outlined details that the information was "likely obtained in 2012", with the company first hearing about the list two weeks earlier, at which time they immediately started an investigation. "We then emailed all users we believed were affected and completed a password reset for anyone who hadn't updated their password since mid-2012. This reset ensures that even if these passwords are cracked, they can't be used to access Dropbox accounts."
January 2017 accidental data restoration
In January 2017, Dropbox restored years-old supposedly deleted files and folders in user accounts. In one example, a user reported that folders from 2011 and 2012 returned. In explaining the issue, a Dropbox employee wrote on its forum that "A bug was preventing some files and folders from being fully deleted off our servers, even after users had deleted them from their Dropbox accounts. While fixing the bug, we inadvertently restored the impacted files and folders to those users' accounts. This was our mistake; it wasn't due to a third party and you weren't hacked. Typically, we permanently remove files and folders from our servers within 60 days of a user deleting them. However, the deleted files and folders impacted by this bug had metadata inconsistencies. So we quarantined and excluded them from the permanent deletion process until the metadata could be fixed".
- Newton, Derek (April 7, 2011). "Dropbox authentication: insecure by design". Derek Newton. Retrieved February 17, 2017.
- Brian, Matt (April 8, 2011). "Dropbox security hole could let others access your files [Updated]". The Next Web. Retrieved February 17, 2017.
- Schwartz, Mathew (May 16, 2011). "Dropbox Accused Of Misleading Customers On Security". InformationWeek. UBM plc. Archived from the original on October 20, 2012. Retrieved February 17, 2017.
- Houston, Drew; Ferdowsi, Arash (April 21, 2011). "Privacy, Security & Your Dropbox (Updated)". Dropbox Blog. Dropbox. Retrieved February 17, 2017.
- Kincaid, Jason (June 20, 2011). "Dropbox Security Bug Made Passwords Optional For Four Hours". TechCrunch. AOL. Retrieved February 17, 2017.
- Ferdowsi, Arash (June 20, 2011). "Yesterday's Authentication Bug". Dropbox Blog. Dropbox. Retrieved February 17, 2017.
- Pepitone, Julianne (June 22, 2011). "Dropbox's password nightmare highlights cloud risks". CNNMoney. Time Warner. Retrieved February 17, 2017.
- White, Christopher (July 2, 2011). "Dropbox can legally sell all of your files [Update]". Neowin. Retrieved February 17, 2017.
- Houston, Drew; Ferdowsi, Arash (July 1, 2011). "Changes to our policies (updated)". Dropbox Blog. Dropbox. Retrieved February 17, 2017.
- Brodkin, Jon (July 18, 2012). "Dropbox hires "outside experts" to investigate possible e-mail breach". Ars Technica. Condé Nast. Retrieved February 17, 2017.
- Agarwal, Aditya (July 31, 2012). "Security update and new features". Dropbox Blog. Dropbox. Retrieved February 17, 2017.
- Brodkin, Jon (August 1, 2012). "Dropbox confirms it got hacked, will offer two-factor authentication". Ars Technica. Condé Nast. Retrieved February 17, 2017.
- Robertson, Adi (February 28, 2013). "Dropbox users claim email addresses leaked to spammers, company blames 2012 security breach". The Verge. Vox Media. Retrieved February 17, 2017.
- Greenwald, Glenn; MacAskill, Ewen (June 7, 2013). "NSA Prism program taps in to user data of Apple, Google and others". The Guardian. Guardian Media Group. Retrieved February 17, 2017.
- Gellman, Barton; Poitras, Laura (June 7, 2013). "U.S., British intelligence mining data from nine U.S. Internet companies in broad secret program". The Washington Post. Retrieved February 17, 2013.
- "Dropbox site is back up! Claims of leaked user info are a hoax. The outage was caused during internal maintenance. Thanks for your patience!". Twitter. January 11, 2014. Retrieved February 17, 2017.
- Swartz, Jon (January 11, 2014). "Dropbox says outage arose from routine maintenance". USA Today. Gannett Company. Retrieved February 17, 2017.
- "Dropbox hit by outage on Friday, denies that it was hacked". PC World. International Data Group. January 10, 2014. Retrieved February 17, 2017.
- Gupta, Akhil (January 12, 2014). "Outage post-mortem". Dropbox Blog. Dropbox. Retrieved February 17, 2017.
- Houston, Drew (April 9, 2014). "Growing our leadership team". Dropbox Blog. Dropbox. Retrieved February 8, 2017.
- "Controversy flares as Condoleezza Rice joins Dropbox board". BBC News. April 11, 2014. Retrieved February 8, 2017.
- Stone, Brad; Levy, Ari (April 11, 2014). "Dropbox's Next Chapter: Corporate Customers, IPO, Condi Rice, and Eddie Vedder". Bloomberg L.P. Retrieved February 8, 2017.
- Agarwal, Aditya (May 5, 2014). "Web vulnerability affecting shared links". Dropbox Blog. Dropbox. Retrieved February 17, 2017.
- Lee, Dave (May 6, 2014). "Warning over unintentional file leak from storage sites". BBC News. Retrieved February 17, 2017.
- Yadron, Danny; MacMillan, Douglas (July 17, 2014). "Snowden Says Drop Dropbox, Use SpiderOak". The Wall Street Journal. News Corp. Retrieved February 17, 2017. (subscription required)
- Mityagin, Anton (October 13, 2014). "Dropbox wasn't hacked". Dropbox Blog. Dropbox. Retrieved February 17, 2017.
- Lomas, Natasha (October 14, 2014). "Dropbox Confirms Compromised Account Details But Says Its Servers Weren't Hacked". TechCrunch. AOL. Retrieved February 17, 2017.
- Lewis, Dave (October 14, 2014). "Was Dropbox Hacked? Not So Fast". Forbes. Retrieved February 17, 2017.
- Mendelsohn, Tom (August 31, 2016). "Dropbox hackers stole e-mail addresses, hashed passwords from 68M accounts". Ars Technica. Condé Nast. Retrieved February 17, 2017.
- Brandom, Russell (August 31, 2016). "Dropbox's 2012 breach was worse than the company first announced". The Verge. Vox Media. Retrieved February 17, 2017.
- McGoogan, Cara (August 31, 2016). "Dropbox hackers stole 68 million passwords - check if you're affected and how to protect yourself". The Daily Telegraph. Telegraph Media Group. Retrieved February 17, 2017.
- Gibbs, Samuel (August 31, 2016). "Dropbox hack leads to leaking of 68m user passwords on the internet". The Guardian. Guardian Media Group. Retrieved February 17, 2017.
- Heim, Patrick (August 25, 2016). "Resetting passwords to keep your files safe". Dropbox Blog. Dropbox. Retrieved February 17, 2017.
- Tung, Liam (January 25, 2017). "Dropbox bug kept users' deleted files on its servers for six years". ZDNet. CBS Interactive. Retrieved February 18, 2017.
- Hackett, Robert (January 25, 2017). "Dropbox Didn't Actually Delete Your 'Deleted' Files". Fortune. Time Inc. Retrieved February 18, 2017.