Is there a place where I can access the login history for my account?

Question

I received an email this morning that someone logged into my Dropbox account. I was incredibly disappointed that I can't see the history of successful sign ins like I can on every other important site I use.

I don't store anything important in Dropbox, but my password was auto-generated by my browser's password manager and never copied/typed, so I was surprised to see that someone was able to use it (obviously I should have had MFA enabled, and I have since enabled it).

If I did have important information stored, I wouldn't have any way to look at the sign in history and react appropriately. The "new login" email looked legitimate, and may be legitimate, but I have absolutley no source of truth to compare it to.

Will Dropbox enable an immutable sign in history? If not, I don't see how it is a safe place to store secure files.

DiagramUser · Answer

I gave this same reply to a moderator who brought this up after you, but it seems fair to put it here as well since you did suggest it first:

I tested this.

I logged into Dropbox on my laptop and on my phone. I opened the list on my laptop and it showed both devices. I then logged out of my account on my phone, refreshing the list on my laptop, and my phone dissapeared from the list.

This list only shows devices that haven't explicitly logged out - meaning that this list is mutable. All an attacker has to do is log out of the account after taking any documents they want and their information is lost.

DiagramUser · Answer

Under Devices and activity, you’ll see which computers and browser sessions are currently (and recently) logged in to your account, along with IP addresses.

I tested this.

I logged into Dropbox on my laptop and on my phone. I opened the list on my laptop and it showed both devices. I then logged out of my account on my phone, refreshing the list on my laptop, and my phone dissapeared from the list.

This list only shows devices that haven't explicitly logged out - meaning that this list is mutable. All an attacker has to do is log out of the account after taking any documents they want and their information is lost.

Megan · Answer

Hey @DiagramUser, let me jump in here too!

To add to what @Hannah mentioned, you can review all of your current and past login sessions right from your Dropbox account settings.

Under Devices and activity, you’ll see which computers and browser sessions are currently (and recently) logged in to your account, along with IP addresses.

If you’d also like to see which apps have access to your account, switch to the My apps tab. This gives you a clear view of where and how your account has been accessed.

Lastly, keep in mind that our two-factor authentication is an optional but highly recommended security feature that adds an extra layer of protection to your Dropbox account. Once enabled, Dropbox will require a six-digit security code in addition to your password whenever you sign in to Dropbox online or link a new computer, phone, or tablet.

You can read more about this here.

If you have any questions, let me know!