How secure is Dropbox?

Contents

Dropbox offers a number of security features to protect your data, like end-to-end encryption, permissions, two-factor authentication and geo-redundancy.

How Dropbox security looks in a nutshell

Dropbox offers 256-bit encryption as well as SSL/TLS and AES-128-bit encryption for uploads and downloads.
Additional security features include two-factor authentication, Boxcryptor compatibility, Perfect Forward Secrecy, certificate pinning and geo-redundant data centers.
Two potential drawbacks regarding data protection and sovereignty: Dropbox reserves the right to limit access to user data as outlined in its terms of service. Additionally, it is subject to the U.S. Cloud Act, which, according to some experts, may conflict with the European GDPR, even though Dropbox claims to comply with GDPR regulations.

What encryption technologies does Dropbox use?

The encryption methods used for data at rest are especially relevant for companies that outsource third-party servers. As one of the oldest and most well-known cloud services, Dropbox offers comprehensive encryption of your cloud data.

Dropbox uses the following encryption technologies:

AES-256-bit encryption

Dropbox’s security is off to a good start with modern AES-256-bit encryption for all cloud data. The Advanced Encryption Standard is one of the most secure encryption technologies out there and is even used by the U.S. government. To get a sense of just how secure it is: It would take several billion years to crack even the “weaker” 128-bit encryption. So 256-bit guarantees reliable protection against brute force attacks.

TLS/SSL and 128-bit encryption

Of course, it’s important that data is protected not just at rest in the cloud but also during uploads and downloads. That’s why Dropbox uses TLS and SSL encryption, short for “Secure Sockets Layer” and “Transport Layer Security”. That means your data is transferred through a secure tunnel with AES-128-bit encryption, meaning that it’s virtually impossible to intercept and decrypt your data in transit.

Fact

SSL and TLS are often mentioned together. However, TLS is actually the successor to SSL – that is, a newer, better, more secure version of SSL. Older SSL protocols are now invalid and hardly used.

Zero-knowledge encryption with Boxcryptor

Zero knowledge means that you encrypt your data before uploading it to the cloud, making it unreadable for the cloud service. For client-side encryption, Dropbox implements zero-knowledge encryption natively using technology from the German company Boxcryptor. Dropbox acquired the company in 2022.

HiDrive Cloud Storage

Store and share your data on the go

Store, share, and edit data easily
Backed up and highly secure
Sync with all devices

What access rights does Dropbox have?

Before you use a cloud service, you should take a look at their terms and conditions. That will quickly make clear what access rights the cloud service reserves. Dropbox, for example, mentions limited access to data stored on the server.

In addition to limited access to your data, the security of your cloud data also depends on the options for sharing files with others. It’s important that you can determine yourself who can see which files and who can’t.

Dropbox offers more or less the same sharing permissions as most Dropbox alternatives. For each file or folder, you can specify who has access to it, share a link with them and revoke these permissions whenever you want. You can also decide whether each person has read-only access or can also edit files.

Does Dropbox have two-factor authentication?

You can also increase the security of your Dropbox account with optional two-factor authentication (2FA). 2FA requires both a password and a security code that you receive via SMS or an authenticator app like Google Authenticator. Two-step verification is a standard offered by pretty much every reputable service for sharing, storing and editing data. On Dropbox, you’ll need to enable the feature in your account.

How does account recovery work?

Whether you forgot your password, your account was hacked or you accidentally deleted your account – account recovery is an important part of cloud security. In Dropbox Basic and Dropbox Plus, you can request to recover a file or account for 30 days. With subscription levels like Essentials or Business you have up to 180 days to recover your data, and with Business Plus you have up to 365 days.

What security measures does Dropbox offer against cyber attacks?

If you store data in cloud services, you have to rely on these companies to take sufficient security measures against cyber attacks. Similar to Google Drive and iCloud, Dropbox offers high cloud security with the following measures against cyber attacks:

High data center security with geo-redundancy
Modern encryption with AES-256-bit for data in rest
TLS encryption with AES-128-bit for data in transit
Integrated password protection with a secure password
Optional two-factor authentication
Automatic, synchronized data backups
Account and file recovery
Perfect Forward Secrecy (prevents later decryption of data using session keys that cannot be reconstructed)
Certificate pinning (ensures that connections are only made to authorized servers)

Despite all of these security measures, Dropbox has one important weak point: Uploads and downloads are not scanned for viruses and malware.

Known security incidents at Dropbox

As a cloud service that’s existed since 2008, Dropbox inevitably has some security incidents in its history. Some of the most well-known ones include:

In 2011, an update error resulted in all Dropbox accounts being accessible with their email address alone for several hours.
In 2012, a Dropbox employee’s account was compromised, leading to the publication of over 68 million users’ data, including email addresses and passwords. The security breach demonstrated that Dropbox employees’ access to data continues to pose a security risk.
In 2017, files dating back as far as 6 years re-appeared in users’ accounts. The incident showed that Dropbox does not permanently delete data deleted by users.
In 2022, it became known that around 130 repositories of source code were stolen using a compromised employee account. The stolen source code included internal prototypes, security tools and copies of libraries.
In 2024, attackers gained access to the Dropbox Sign production environment and were able to steal customers’ personal data.

Is the Cloud Act relevant for Dropbox?

Dropbox is a U.S.-based company whose cloud servers are located primarily in the U.S., making it subject to the Cloud Act. The law passed in 2018 and grants authorities almost unrestricted access to the cloud data of U.S. companies. Dropbox is thus required to hand over user data, regardless of where that user is located. A court order is not always required. That means that complete data protection is not possible with Dropbox.

Tip

For certified server locations in Europe with maximum, GDPR-compliant data security, take a look at HiDrive Cloud Storage.

Does Dropbox meet data protection standards for companies?

When it comes to data security and data sovereignty, companies need to ask themselves whether Dropbox is suitable for business use. Generally, Dropbox meets the most important requirements for compliance and data protection with state-of-the-art encryption, access control and important certifications. Certifications that it offers include:

ISO 27017 (cloud security)
ISO 27018 (cloud privacy and data protection)
CSA STAR Level 2 (Cloud Security Alliance: Security, Trust, Assurance, Risk registry)

Like Google Drive and iCloud servers, Dropbox offers a solid security standard that is compatible with business use. However, the fact that it is subject to the Cloud Act is a major drawback in terms of security.

Summary: Is Dropbox secure?

In conclusion, Dropbox offers a high level of cloud security with its modern encryption, secure data centers and zero-knowledge encryption. However, past security incidents, unclear employee access to data and the Cloud Act mean that Dropbox is not the ideal cloud service for highly sensitive, critical company data.

If you’re wondering which cloud is the most secure, pay attention to which data protection guidelines the cloud service is subject to. In this case, Dropbox does not meet the high standard of the European GDPR, for example, and is instead subject to data sharing requirements in the Cloud Act.

Which storage service is best? Dropbox vs. Google Drive

What do photo sharing, document collaboration and backups for important files all have in common? They can be done online with cloud storage solutions. While there are plenty of providers on the market, we’ll compare two of the oldest ones: Dropbox vs. Google Drive. Find out what…

Comparison
Cloud Storage
Google Workspace

SFIO CRACHOShutterstock

How to delete a Dropbox account step by step

There are several reasons why you might want to delete your Dropbox account. How you do it depends on whether you want to close a free or a paid Dropbox account. In the latter case, you need to cancel your Dropbox subscription before you can close the account. Our article…

Tutorials
Cloud Storage

DestinaDesignShutterstock

How to find and use Dropbox logs

Dropbox has a lot of advantages, whether it be as a practical online file storage space or as cloud storage for teamwork and file sharing. It’s particularly useful to be able to see when files have been changed and updated when you’re working with others. This is where Dropbox…

Tutorials

How secure is Dropbox?

How Dropbox security looks in a nutshell

What en­cryp­tion tech­nolo­gies does Dropbox use?

AES-256-bit en­cryp­tion

TLS/SSL and 128-bit en­cryp­tion

Zero-knowledge en­cryp­tion with Box­cryp­tor