How secure is Dropbox?

In this article, you’ll learn whether security measures such as end-to-end Dropbox encryption, access rights, two-factor authentication and georedundancy are enough to ensure Dropbox is a secure cloud service.

A quick overview of Dropbox security

  • Dropbox offers 256-bit encryption to protect your cloud data, as well as SSL/TLS and AES-128-bit encryption for uploads and downloads.
  • Other security features include two-factor authentication, Boxcryptor compatibility, perfect forward secrecy and georedundant data centres.
  • Two disadvantages of Dropbox privacy, data protection and sovereignty: Dropbox reserves limited access rights to user data in its terms and conditions and, as a US company, is subject to the Cloud Act, which is not GDPR-compliant.

What encryption does Dropbox use?

Encryption methods for stored data (data at rest) are crucial for companies that outsource third-party servers. Being one of the oldest and best-known cloud services, Dropbox offers convincing, comprehensive encryption of your cloud data.

Dropbox uses the following encryption techniques:

AES 256-bit encryption

At first glance, Dropbox encryption seems convincing. It uses AES-256 encryption for all cloud data which means Dropbox is cutting edge. The Advanced Encryption Standard that uses a 256-bit key is among the most secure encryption techniques used by the US government. To put this into perspective, it would take several billion years to crack the ‘weaker’ 128-bit encryption. With 256-bit, reliable protection against brute force attacks is guaranteed.

TLS/SSL and 128-bit encryption

Data shouldn’t just be protected in the cloud but should be uploaded and downloaded securely as well. For this reason, Dropbox uses TLS and SSL, short for ‘Secure Sockets Layer’ and ‘Transport Layer Security’, encryption methods. Data is transferred through a protected tunnel encrypted with AES-128. Interception and decryption of your data transmissions (data-in-transit) is thus virtually impossible.

Fact

SSL and TLS are often mentioned together. However, TLS is the successor to SSL—that is, the newer, more secure and better version of SSL. Older SSL protocols are now illegal and hardly used anymore.

Zero-knowledge encryption with Boxcryptor

One shortcoming of Dropbox is that data is only encrypted on the server, i.e., server-side. Zero-knowledge encryption is only available with a third-party provider. Zero knowledge means you encrypt your data before uploading it to the cloud, making it unreadable for the cloud service. For client-side encryption, Dropbox supports the Boxcryptor service. It’s available on the free package for up to two devices. A more comprehensive range of services is available with paid packages. Other cloud services such as HiDrive cloud storage from IONOS offer integrated zero-knowledge encryption.

What are Dropbox’s access rights?

When using a cloud service, it’s always best to check out the terms and conditions. They clarify how many access rights the cloud service provides. Dropbox, for example, has limited access rights for data stored on the server side. If you don’t use a third-party provider for client-side encryption, Dropbox can read and decrypt the data stored in the cloud at any time. According to the company, restricted access rights serve to guarantee backups. From the user perspective, this can be seen as a lack of data sovereignty.

What sharing and access rights do Dropbox users have?

Apart from restricted access rights to your data, cloud data security depends on another important aspect: collaboration options with others. It’s important to be able to determine who can access your files and which files they can access.

Dropbox provides the same file sharing rights as most Dropbox alternatives to this end. Simply specify who gets access to which file or folder and share a link with the recipients. You can also revoke permissions at any time. You can also specify whether authorised recipients get read-only access or can edit files.

How does two-factor authentication work with Dropbox?

The optional two-factor authentication (2FA), makes it easy to protect your Dropbox account from unauthorised access. First, enable the feature in your Dropbox account. With a 2FA, you’ll need a security code in addition to your password, which you receive via SMS or via an authenticator app such as Google Authenticator. Two-step verification is a standard that any reputable service for sharing, storing and editing data should offer these days.

Does Dropbox offer account recovery?

Whether you forget your password, your account has been hacked, or you accidentally deleted the wrong account, account recovery is a standard feature of cloud security. With Dropbox Basic (free), you can request file and account recovery for up to 30 days. With paid subscriptions like Standard or Professional, data and account recovery and account resets are available for up to 180 days.

What protection does Dropbox offer against cyberattacks?

When you outsource data to cloud services, you do this in good faith that the respective companies are taking sufficient security precautions against cyberattacks. Dropbox, like Google Drive and iCloud offers excellent cloud security that includes the following standard protections against cyberattacks:

  • High data centre security through geo-redundancy
  • Modern encryption with AES-256-bit for data-in-rest (storage)
  • TLS encryption with AES-128 bit for data-in-transit (transmission)
  • Integrated password security for a more secure password
  • Optionally, two-factor authentication
  • Backup data with automatic, synchronised backups
  • Account and file recovery
  • Perfect Forward Secrecy (prevents subsequent data decryption due to session keys that can’t be reconstructed)

Despite the aforementioned security precautions, Dropbox has one notable weakness in protecting against cyberattacks: it doesn’t scan uploads and downloads for viruses and malware. Dropbox also doesn’t offer automatic warnings and security notifications in case of suspicious logins. You’ll need to activate them manually.

What known cases of security issues with Dropbox are there?

As a cloud service that’s been around since 2008, Dropbox inevitably looks back on a number of security incidents. Among the best known are:

  • In 2011, an update bug caused any Dropbox account to be accessible via the associated email address for several hours.
  • In 2012, the compromised account of a Dropbox employee led to the publication of around 68 million user data including email addresses and passwords. The security breach showed that access to cloud data by Dropbox employees remains a security risk.
  • In 2017, files resurfaced in users’ accounts that dated back up to six years. The incident suggests that Dropbox doesn’t permanently remove deleted data.
  • In 2022, it was revealed that the theft of around 130 repositories of source code occurred via a compromised employee account. The stolen source code included internal prototypes, security tools and copies of libraries.

Does the Cloud Act matter for Dropbox?

Dropbox is a US company with cloud servers located in the USA. Dropbox is therefore subject to the US Cloud Act. The law, enacted in 2018, grants US authorities almost unrestricted access to the cloud data of US companies. This also applies to consumer data of a US company operating EU servers. In the event of an emergency, Dropbox is obliged to hand over user data, even if it’s not located in the USA. In some circumstances, data may have to be handed over without a court order. Therefore, the Cloud Act alone doesn’t guarantee 100 percent data protection.

Another problem from a data security perspective is that since 2020, there’s been no legal protection from the EU for EU companies that transfer data to US companies. This was abolished by the European Court of Justice in 2020 in the form of the ‘EU-US Privacy Shield’. Both the Cloud Act and the Foreign Intelligence Surveillance Act don’t meet European data protection standards. Protecting customer data, GDPR-compliant cloud computing and legal protection are the sole responsibility of companies.

Tip

If you prefer certified server locations in Europe offering the highest data security in accordance with the GDPR, you can rely on the IONOS HiDrive Cloud Storage.

Does Dropbox meet privacy standards for businesses?

When it comes to data security and data sovereignty, companies may consider if Dropbox really is suitable for business use. Generally, the service meets the most important requirements for compliance and data protection with state-of-the-art encryption, access control and important certifications. Certifications offered by Dropbox include:

  • C5 standard (Cloud Computing Compliance Controls Catalogue) of BSI
  • ISO 27017 (cloud security)
  • ISO 27018 (Data protection and data security in the cloud)

Similar to Google Drive or iCloud servers, Dropbox offers a solid security standard for business use. Nevertheless, the transfer of sensitive data to US companies in connection with the Cloud Act is a big disadvantage. In addition, essential aspects such as the privacy policy and an order processing contract with Dropbox need to be managed by the user in order to ensure GDPR-compliant data protection.

So, Is Dropbox safe?

Dropbox offers a high level of cloud security thanks to modern encryption, secure data centres and optional features like Boxcryptor. However, previous security incidents, murky access rights by Dropbox employees, and the US Cloud Act mean that Dropbox isn’t necessarily the best cloud service for highly sensitive, critical company data.

When determining which cloud is the most secure, pay attention to the data protection guidance issued by the respective cloud service before making your choice. In the case of Dropbox, European data protection standards aren’t satisfactorily met. To meet them, stick to alternative European services with servers located in Germany or other EU countries.

Was this article helpful?
Page top