Dropbox has experienced two significant security incidents — a 2012 breach that exposed 68 million accounts and a 2024 breach of its Dropbox Sign e-signature service. Despite these incidents, Dropbox is safe to use in 2026. The company has implemented strong security measures including mandatory two-factor authentication options and zero-knowledge encryption. Here is what you need to know.

What happened in the Dropbox data breaches?

Dropbox has had two notable security incidents, separated by more than a decade.

The 2012 breach exposed 68 million user records, including email addresses and hashed passwords. The breach originated from a stolen employee credential — an employee had reused a password from LinkedIn (which was also breached in 2012), and attackers used that password to access internal Dropbox systems.

The passwords in the stolen database were protected with a mix of bcrypt and SHA-1 hashing. Bcrypt-hashed passwords were relatively safe, but the SHA-1 hashed passwords were more vulnerable to cracking. Like the LinkedIn breach, the full scope of the Dropbox breach was not understood until 2016, when the complete database appeared on dark web marketplaces.

Importantly, the 2012 breach did not give attackers access to user files stored on Dropbox — only account credentials were stolen. Your documents, photos, and other files were not part of the leaked data.

The 2024 Dropbox Sign breach was a separate incident affecting Dropbox Sign, the company’s e-signature service (formerly known as HelloSign, which Dropbox acquired in 2019). In April 2024, Dropbox disclosed that an attacker gained access to the Dropbox Sign production environment by compromising an automated system configuration tool.

The attacker accessed a database containing Dropbox Sign customer information including email addresses, usernames, phone numbers, hashed passwords, and authentication settings like API keys and OAuth tokens. Users who had signed documents through Dropbox Sign without creating an account also had their names and email addresses exposed.

This breach was limited to Dropbox Sign and did not affect the core Dropbox file storage service.

Is Dropbox safe to use now?

Yes, Dropbox is safe to use in 2026. The company has taken extensive steps to address both breaches and strengthen its overall security posture.

For the core Dropbox file storage service, your files are encrypted using 256-bit AES encryption at rest and SSL/TLS encryption in transit. Dropbox also offers Vault — a PIN-protected folder that uses zero-knowledge encryption, meaning even Dropbox cannot access the contents. This is a significant security feature for storing sensitive documents.

Dropbox has also implemented mandatory two-factor authentication for team accounts, improved its internal credential management to prevent the type of password reuse that caused the 2012 breach, and built advanced monitoring systems that detect unauthorized access attempts.

For Dropbox Sign, the compromised infrastructure was isolated and rebuilt. All affected API keys and OAuth tokens were rotated, and impacted users were required to reset their passwords.

What did Dropbox do to fix the security problems?

Dropbox responded to both breaches with concrete security improvements:

  • Forced password resets for all accounts affected by both the 2012 and 2024 breaches
  • Upgraded password hashing — all passwords are now stored using bcrypt, eliminating the weaker SHA-1 hashing that was partially used in 2012
  • Added mandatory two-factor authentication for Dropbox Business and team accounts, with strong recommendations for personal accounts
  • Introduced Dropbox Vault — a zero-knowledge encrypted folder for sensitive files where only you hold the key
  • Improved internal credential policies to prevent employees from reusing passwords across services
  • Rebuilt the Dropbox Sign infrastructure after the 2024 breach, including rotating all API keys, OAuth tokens, and session tokens
  • Enhanced monitoring and threat detection across all Dropbox services with real-time alerting for suspicious activity
  • Implemented a comprehensive bug bounty program that rewards security researchers for finding vulnerabilities

Dropbox now publishes regular transparency reports and maintains a dedicated security page where users can review the company’s current security practices.

How to check if your Dropbox data was exposed

If you had a Dropbox account before 2012 or used Dropbox Sign before April 2024, your data may have been exposed.

Check your email now with EmailLeaked — it scans billions of records from known data breaches, including the Dropbox breaches, and tells you instantly if your email was involved. The check is free and takes only seconds.

Knowing which breaches your email appeared in is important even if you have already changed your Dropbox password. Attackers use leaked email-password combinations in credential stuffing attacks, testing them against dozens of other websites automatically.

5 steps to secure your Dropbox account right now

Whether you were affected by the breaches or not, these steps will protect your Dropbox account and files.

Step 1: Change your password. Log in at dropbox.com, go to Settings, then Security, and change your password. Use at least 16 characters, make it completely unique to Dropbox, and do not base it on any personal information. A password manager handles this for you.

Step 2: Enable two-factor authentication. In the same Security settings, turn on two-step verification. Use an authenticator app like Google Authenticator or Authy rather than SMS. This adds a critical second layer of protection. Learn more about how two-factor authentication keeps you safe.

Step 3: Review connected devices and apps. In your Security settings, check the list of devices linked to your Dropbox account and active web sessions. Remove any you do not recognize. Also review third-party apps connected to your Dropbox — remove any you no longer use.

Step 4: Use Dropbox Vault for sensitive files. If you store sensitive documents like tax returns, contracts, or identification documents in Dropbox, move them to Vault. This zero-knowledge encrypted folder requires a separate PIN and provides an extra layer of protection even if your main account is compromised.

Step 5: Check for password reuse. The 2012 breach happened because a Dropbox employee reused a password. Do not make the same mistake. If your Dropbox password was ever used on any other service, change those other passwords immediately. Each account should have its own unique password — this is the single most effective defense against credential stuffing.

The bottom line

Dropbox’s 2012 breach was caused by a simple but devastating mistake — password reuse by an employee. The 2024 Dropbox Sign breach was more targeted but similarly addressed with swift action. In both cases, user files stored on Dropbox were not compromised.

Dropbox in 2026 offers strong security features including AES-256 encryption, zero-knowledge Vault, and two-factor authentication. The platform is safe for storing your files, including sensitive documents, as long as you take basic precautions with your account security.

Check if your email was exposed, update your password, turn on two-factor authentication, and consider using Vault for your most important files.

For more guidance, read our articles on how to create a strong password and what to do if your password was leaked.