Dropbox, the cloud storage and file-sharing platform, suffered a breach in mid-2012 after attackers obtained employee credentials and used them to access an internal document containing user email addresses. The incident exposed data belonging to tens of millions of customers. The full scale only became clear in August 2016, when a dataset of over 68 million records appeared for trade online, prompting Dropbox to force password resets for users it believed were at risk. The exposed data included email addresses and salted password hashes. Approximately half used the SHA-1 algorithm and half used bcrypt, a stronger hashing method. While hashed passwords are not plaintext, they can be cracked with enough computing effort, particularly the SHA-1 portion. Anyone who reused their Dropbox password on other services faced a heightened risk of account takeover across those platforms. No major regulatory action was publicly reported in connection with this breach. The four-year gap between the 2012 incident and the 2016 disclosure means many affected users had no opportunity to act promptly. For those affected, the primary ongoing risk is credential reuse: if the same email and password combination was used elsewhere, those accounts may still be vulnerable. Checking for reused passwords and enabling two-factor authentication on accounts tied to the exposed email address remains advisable.

Cloud storage and collaboration platforms collect emails, usernames, passwords, device-linked access data, and sharing records tied to personal and organizational file storage.

Dropbox’s recent public strategy has focused on AI-enabled knowledge work and workflow expansion. In 2025 and early 2026, the company emphasized growth around Dropbox Dash, deeper product integration, and investment in AI tools for work, while also telling investors it was strengthening its core file-sync-and-share foundation and accelerating Dash as a major future growth area.