Dropbox is one of the most popular cloud storage solutions in the world, supporting more than 14 million paying customers as of December 2019. Like most online services that have a long history dating back to the early days of the web, Dropbox's past includes hacks and data breaches.
The most infamous incident included the theft of more than 68 million account credentials in 2012 (hackers tried to sell this data in 2016), and the hack led to the company resetting passwords for millions of accounts in 2016.
In the years since, Dropbox has shored up its security substantially. Today the service's 256-bit AES encryption and support for additional security tools like two-factor authentication is competitive.
The service authenticates all user connections to the server, whether it's via a web browser or mobile app, and Dropbox uses Secure Sockets Layer (SSL)/Transport Layer Security (TLS) to protect data as it moves between Dropbox's users and the servers.
Moreover, Dropbox routinely tests its own hardware, software and processes for security vulnerabilities, and makes sure to alert users if Dropbox detects an attempted login from a new device or location. There have been no known large-scale hacks on Dropbox since 2012.
"Their current encryption standards make the odds of a hack less likely, but no cloud-based solution is completely safe from new and emerging threats," said Kristen Bolig, founder of SecurityNerd.
Aside from the risk of an attack on Dropbox itself, one of the most dangerous vulnerabilities is on the user end of the Dropbox experience. Users – especially corporate customers – routinely face phishing attacks and social engineering attacks designed to trick people into giving up credentials and access to accounts.
And not all security concerns originate with hackers and criminals. Dropbox's user base crosses international boundaries, and Dropbox may opt to share user data with government agencies and law enforcement from time to time – the service has formal guidelines that dictate its behavior based on official requests.
All that means your risk of a data breach with Dropbox is low, but not zero, and there are steps you can take to ensure your own security.
Chris Hauk, consumer privacy advocate with Pixel Privacy, recommended enabling Dropbox's two-factor authentication. "This ensures that if a third-party attempts to log into your Dropbox account, you will be notified via email or text message."
Simple human error is also a risk — Dropbox allows users to store files in easily exposed public folders, for example, so it's important to be careful about where files are placed.
And for the ultimate in security, both from accidental public folder disclosures as well as hacks, security experts like Security.org's Chief Editor Gabe Turner suggest using file-level encryption on important files stored on Dropbox. You can encrypt and password-protect documents created in Microsoft Office, for example, or with a third-party app.
This eliminates the risk of Dropbox itself accessing your files with the company's own encryption key or handing your information to government authorities.
I have wondered at times what the Ten Commandments would have looked like if Moses had run them through the US Congress.