The Dropbox Hack and The UX of Security

Honesty is the best policy. Honestly.

Several years ago, I was an avid Dropbox user. However, as times changed and technology moved forward, I abandoned the service. As an Android user, Google Drive’s tight integration into the ecosystem paired with the much larger amount of free storage had easily won me over. Over time, Dropbox became a distant memory.

Until a few days ago, when I received this email:

Huh, that’s strange. That “mid-2012” is oddly specific; it doesn’t seem like a routine procedure to stamp out stale passwords. You’d have to wonder what prompted this. Still, the message is quite reassuring that this is not an urgent matter, purely a preventative measure.

As a Dropbox abandoner, I saw no need to log in to change the password of a service I no longer use. It wasn’t hurting anyone. That was, until I read the headlines a few days later.

https://motherboard.vice.com/read/dropbox-forces-password-resets-after-user-credentials-exposed

Oh, that doesn’t sound good.

http://motherboard.vice.com/read/hackers-stole-over-60-million-dropbox-accounts

Yes, this is bad. This is very bad.


This all stems from a data breach in 2012, which Dropbox was fully aware of. Their response at the time was to implement a few very useful security measures. But again, the company reassured customers that the amount of affected accounts was “very small” and this Security Update is purely preventative. No action was required… until 4 years later.

Look, data breaches are bad for business. You know what’s worse? Lying to your customers. As mentioned previously, the company has known of the data breach since 2012. By framing their response in a way to seem proactive, Dropbox has intentionally chosen to lie to its users.

In terms of User Experience, this is pretty much the worst thing you can do. This is incredibly damaging to a user’s trust, confidence and perception of the brand. Yet this could have been easily avoided by simply being upfront and admitting what they knew.

I know, it sucks to have to admit your mistakes. But there’s plenty of tactful ways to inform the user and provide actionable next steps. MailChimp’s Voice and Tone is a good place to start. Remember, copywriting and communication are a major part of the user experience.

Further, the lack of urgency goes beyond the text. The email I received was designed as a simple block of text with no clear call-to-action. It may very well be a standard system message template. It’s clear that no design considerations were taken here.

The lack of a clear call-to-action is especially problematic because the action the user must take is so rare. Dropbox is a service that operates in the background and is intentionally invisible. Signing in is something a user might not do for months or years.

Okay. Personally I hate it when people post rants like this without offering clear solutions. Luckily issues like the one Dropbox created are easily avoidable. My recommendations:

  1. Be clear and direct when things go wrong. Apologize for the error and reassure the user that you’re still competent and trustworthy.
  2. Fix the problem(s) as soon as possible, then provide a clear and direct path for the user to take immediate action.
  3. Don’t wait 4 years to tell your users to change their password after they’ve been leaked. Good Lord.

Thanks for reading! I’m Jim Silverman, the product designer behind MeetMidway. You can follow me on Medium, Twitter, or Dribbble.

One clap, two clap, three clap, forty?

By clapping more or less, you can signal to us which stories really stand out.