See update at end of post with comment from Dropbox support.
Last summer, I deleted my Dropbox account. That wasn't something I did in anger or in haste. Instead, it was the result of a series of security failures that led me, finally, to lose my trust in Dropbox.
In that June outage, a Dropbox code update caused the security underlying the entire cloud-based file storage system to break down. For at least four hours, anyone could log into any Dropbox account using any password. Some accounts were compromised. Dropbox says the number was "fewer than a hundred," but there's no way to fact-check that statement.
This week, reluctantly, I created a new Dropbox account. My teammates in a new work project are using it for its convenience, and I can't afford not to be a team player.
To set up the new account, I used Ninite to install the Dropbox app for Windows. I used a different e-mail address this time around, one that I had never used with Dropbox before. I entered my account information in the Dropbox app, including a strong password I generated using a separate app. After going through the brief configuration, I was ready to begin syncing my own files and receiving shared files from my new partners.
And then, a few minutes later, I got an e-mail from Dropbox containing this welcome message:
How cheerful! How friendly! How ... wrong.
I didn't respond to an invitation from anyone to create this account. I do not know the individual whose name is on that message. It's a common enough name, but a thorough search of my e-mail inbox shows no such invitation (nor any other email for that matter) from anyone by that name. I have a LinkedIn connection with someone by the same name, but we've never exchanged email and we don't know each other in real life.
So, did this individual get a corresponding email message from Dropbox announcing that I had just accepted his invitation? Probably.
And that concerns me.
Dropbox uses a referral model to grow. If you send invitations to your friends and they create new Dropbox accounts, you get additional free storage space. There's nothing wrong with that business model, but if you're going to use a social strategy to grow a service that depends on secure file transfers, you had better have your back-end processes buttoned down.
And Dropbox doesn't. Somewhere on their back end, their systems got confused. What else on the Dropbox back end is confused? I have no way of knowing.
When I dropped Dropbox in July, I quoted a post from the Dropbox CTO, who said, “This should never have happened. We are scrutinizing our controls and we will be implementing additional safeguards to prevent this from happening again.” My response?
It’s going to take more than just promises of “additional safeguards” to erase the doubt that a mistake like this inspires. At the very minimum, Dropbox needs to have a thorough security audit from an independent group to ensure that it has the processes in place to back up those promises.
I see no indication that the necessary security audit ever happened.
A message I sent to Dropbox support yesterday asking for an explanation of the mysterious email has gone unanswered. It has not even been acknowledged.
This is not how a trustworthy company operates.
Because my new teammates use Dropbox, I don't have the option to quit using the service. But you can bet I will be extremely careful with it, and I certainly won't share or sync anything that is remotely confidential.
Update, 28-Oct 9:00 AM Pacific. After almost exactly 24 hours, Dropbox support responded to my support request with the following note:
The reason you received that referral email is because someone invited your email address to Dropbox at some point in the past. Even if the invitation didn't make it to you, the system remembered the referral and awarded you and the person who referred you the extra space.
Even if you don't know the person, this does not expose any of your files or information to the inviter.
I am not reassured, especially when the original e-mail specifically said I had "accepted --- ---'s invitation." I didn't, and as the support agent notes, anyone can "invite" anyone else.
As a test, I just "invited" myself to join Dropbox, using a clean email address I set up recently. Without ever seeing the email invitation, I then used that address to set up a Dropbox account. Sure enough, I was immediately notified that the new account had been set up using that address, even though I never authorized the use of my name or responded to the invitation.
As I said earlier, I want to believe Dropbox when they tell me my files are perfectly safe, but this is just an unacceptably sloppy part of the initial sign-up workflow.
Update 2: In response to comments in the Talkback section below, I contacted Ninite co-founder Patrick Swieskowski, who confirms that Ninite does not use affiliate codes with Dropbox: "Ninite just gets the plain installer directly from dropbox, confirms its digital signature, and runs it silently with the /S switch. There aren't any affiliate codes or anything like that."