We are aware of the issue with the badge emails resending to everyone, we apologise for the inconvenience - learn more here.

Forum Discussion

jimwc's avatar
jimwc
Helpful | Level 5
8 months ago

Join team/merge account potential compromise

I have lodged a ticket with support on this but I am concerned about a potential security issue. And want to see if I can get some additional information more quickly or find alternative communication, such as a support line to talk to someone in real time. 

 

I received an email to join a drop box team. As I have been trying to provide support to a potential client I didn't think much of it. I saw the merge accounts button and thought, ok I don't really want to do that but let's see if there's more information. NO! It just starts merging the account.

 

I am not worried about my account. It was only created for troubleshooting the client's problem. There is nothing in it except a bunch of "test files" but it looks like a colleague has also merged their account too. We don't know if this is malicious but I would like to see if there is a way to extricate my colleague's account from this situation without contacting this potential client (who we know nothing about). 

 

Is there a way we can permanently delete our files or account? This seems like a massive security issue as the admin of the team can access everything in a drop box with nothing less than a carelessly clicked URL. 

  • Heather C.19's avatar
    Heather C.19
    Helpful | Level 5

    I just had this happen to me today! A friendly community manager here let me know that the only way you'll be able to get your accounts back is to contact their admin and have them start you a personal account. My client now has all my other client files including things like my tax returns for 2015-2023. Did I know I would be being merged into their account? Nope! I thought I was getting access to a folder. So far Dropbox has been extremely unhelpful and this is a HUGE SECURITY ISSUE they have been ignoring for what looks like about 5 years (Twitter users from 2019 complained about this) Good luck!

    • jimwc's avatar
      jimwc
      Helpful | Level 5

      Heather, thanks for the heads up. I am shocked and I commiserate with you. It definitely should not be so easy to lose control over your own files. I believe my colleague thought they were also gaining access to shared files. I definitely know there was no interest in merging accounts. How do dropbox let this go on? It's an exfiltrator's goldmine. I will definitely be suggesting more secure services after this.

      • Heather C.19's avatar
        Heather C.19
        Helpful | Level 5

        You're welcome Jim! I'm sorry it happened to you and your friend too! It feels like we've been hacked. I'm also shocked. It seems really easy for anyone to send a link to join a team folder and shoop–suddenly have a ton of free data! I'm moving my files to something more secure. In doing some investigating I also found out that DB employees can look at your files whenever?? That's terrifying and a huge security risk for me and everyone using DB for anything personal.

  • Heather C.19's avatar
    Heather C.19
    Helpful | Level 5

    I just accidentally merged my personal dropbox with my client's dropbox and now he is my admin. I contacted you immediately after to see if you could just reverse this change and nobody has been able to other than telling me that I should "contact my admin" which is honestly unhelpful. There's no way to reset and reverse this!?!

     

    Merging 10 years of other client files, my taxes, a lot of business contacts etc. was an accident.

     

    I did not realize I wasn't just connecting a client's folder (which is what he thought he was sending me, an INVITE TO A FOLDER, it looks almost exactly like an invite to a folder—I thought it was a weird invite to a folder. So I didn't create a new "personal" file because I thought it was an invite — so when Dropbox suddenly swiped all my personal freelance files into my clients Team I was ABSOLUTELY STUNNED. The shock of it! Such an unhappy surprise. I was so angry. I was so upset. All of my trust in Dropbox was lost.)

     

    1. I suggest you add several buttons that make very clear (like RED LETTERING, extra codes sent to email) and multiple going back points for someone merging a personal folder into a team. It should be the rare exception that someone merges all their personal files into a team and not the rule.It should not be so easy to accidentally merge all your files into someone else's folder.

     

    2. The Team invite needs to look VERY different from the usual Folder invite on both the sending side and the receiving side (My client did not mean to send me the team invite). And you should make certain with multiple pain in the butt "Yes I want to" want to merge your files with the team.

     

    Right now it's too easy to accidentally click yes, and then have a panic attack as you see all your work copied into someone else's drive.

    It's also a very insecure system, anyone who sends a Team invite can swoop someone else's files and there are many instances (see subject line and also search Twitter, a friend of mine had this happen and she called you and your helpdesk was able to unmerge the team but apparently this is no longer an option. ) where people have lost tons of files and data due to this accidental joining and merging of a personal account into a Team account.

     

    Anyway, 10 years of goodwill gone and I will not be recommending you to my clients any more!