A new class action lawsuit has been filed against Dropbox, accusing the tech company of failing to protect thousands of customers from a significant data breach. The lawsuit, initiated by plaintiff Steven Guiffre, claims that Dropbox neglected to implement necessary security measures to prevent a breach that occurred on or before April 24.
This lawsuit comes in the wake of a major 2012 breach that impacted 68 million users, marking one of the largest hacks in cloud server history. The scale of the current breach remains uncertain, but it is estimated to affect several hundred thousand users. Compromised data reportedly includes user emails, usernames, phone numbers, hashed passwords, multi-factor authentication details, and general account settings.
The lawsuit alleges that the plaintiffs’ personally identifiable information (PII) was exposed to an unknown third party, significantly increasing the risk of future fraud and identity theft. The complaint states, “The PII of Plaintiff and Class Members was compromised through disclosure to an unknown and unauthorized third party—an undoubtedly nefarious third party that seeks to profit off this disclosure by defrauding Plaintiff and Class Members in the future.”
Beyond the risk of identity theft, the plaintiffs have incurred substantial costs related to verifying the breach, monitoring their credit, exploring identity theft services, and consulting legal advice. The lawsuit claims that plaintiffs have suffered actual injury due to the diminished value of their PII, which they had entrusted to Dropbox.
This recent lawsuit exacerbates Dropbox’s ongoing security challenges. In late 2022, the company disclosed another breach, where hackers accessed 130 code repositories, some source code, and personal information of some customers and employees. The new lawsuit underscores the ongoing security concerns and potential vulnerabilities within Dropbox’s data protection systems.