Dropbox ambushes its users with a radically different version of its sync app.

A huge cache of personal data from Dropbox that contains the usernames and passwords of nearly 70 million account holders has been discovered online.

Data stolen in 2012 breach, containing encrypted passwords and details of around two-thirds of cloud firm’s customers, has been leaked

Dropbox says sorry for stuffing users' folders with files it was meant to have deleted permanently years ago.

Criticism of Dropbox centers around various forms of security and privacy controversies surrounding Dropbox, an American company specializing in cloud storage and file synchronization. Issues include a June 2011 authentication problem that let accounts be accessed for several hours without passwords, a July 2011 Privacy Policy update with language suggesting Dropbox had ownership of users' data, concerns about Dropbox employee access to users' information, July 2012 email spam with reoccurrence in February 2013, leaked government documents in June 2013 with information that Dropbox was being considered for inclusion in the National Security Agency's PRISM surveillance program, a July 2014 comment from NSA whistleblower Edward Snowden criticizing Dropbox's encryption, the leak of 68 million account passwords on the Internet in August 2016, and a January 2017 accidental data restoration incident where years-old supposedly deleted files reappeared in users' accounts.

Dropbox, the online backup and file sharing service claims to have hit 25 million users in a single year. Big news for any start-up. A change in its terms and conditions received a lot less attention because it seemed like adding a common term for online services.

For the past several days I have been focused on understanding the inner workings of several of the popular file synchronization tools with the purpose of finding useful forensics-related artifacts that may be left on a system as a result of using these tools. Given the prevalence of Dropbox, I decided that it would be one of the first synchronization tools that I would analyze, and while working to better understand it I came across some interesting security related findings.

The meta-issue is pretty simple. If you expect a cloud provider to do anything more interesting than simply store your files for you and give them back to you at a later date, they are going to have to have access to the plaintext. For most people -- Gmail users, Google Docs users, Flickr users, and so on -- that's fine. For some people, it isn't. Those people should probably encrypt their files themselves before sending them into the cloud.

The FTC complaint charges Dropbox (.pdf) with telling users that their files were totally encrypted and even Dropbox employees could not see the contents of the file. Ph.D. student Christopher Soghoian published data last month showing that Dropbox could indeed see the contents of files, putting users at risk of government searches, rogue Dropbox employees, and even companies trying to bring mass copyright-infringement suits.

All malware is bad, but ransomware is particularly insidious—ask any ransomware victim. That's why a new attack scheme called “Pacman” has raised alarms, because it's even nastier than usual. Think of the classic Pac-Man game's voracious yellow ball, chomping up all of your files. It takes only one click to infect a vulnerable PC, and the attack gives victims only 24 hours to pay the ransom in Bitcoins or risk losing all of the compromised data.

Last summer, I deleted my Dropbox account after the company admitted to a horrifying security breach. This week, I reluctantly opened a new Dropbox account. Within minutes, I received a message from Dropbox suggesting that their back-end processes are still problematic. Here's why I'm concerned.

Update: Dropbox hack blocked by Apple in Sierra Following my post revealing Dropbox’s Dirty Little Security Hack a few weeks ago, I thought I’d look deeper into how Dropbox was getting …