Join team/merge account potential compromise

Heather, thanks for the heads up. I am shocked and I commiserate with you. It definitely should not be so easy to lose control over your own files. I believe my colleague thought they were also gaining access to shared files. I definitely know there was no interest in merging accounts. How do dropbox let this go on? It's an exfiltrator's goldmine. I will definitely be suggesting more secure services after this.

You're welcome Jim! I'm sorry it happened to you and your friend too! It feels like we've been hacked. I'm also shocked. It seems really easy for anyone to send a link to join a team folder and shoop–suddenly have a ton of free data! I'm moving my files to something more secure. In doing some investigating I also found out that DB employees can look at your files whenever?? That's terrifying and a huge security risk for me and everyone using DB for anything personal.

It is absolutely terrifying. I hope your client does the right thing. Seems like the sort of thing that should have multiple steps and prompts to conclude the process.

Did you manage to find a call line number, or did you have to wait for a response to a submitted ticket?

One of my concerns is if an admin can access files/folders owned by a user outside of the team.

They can! Admins are able to access all files in the team folder, including your previously "personal" ones. They can delete, share or remove your access to those files. https://help.dropbox.com/account-access/admin-control

I think I've found a workaround, you have to create a new personal account using a new email. Then you can link the two dropboxes and copy your files into your personal account on your desktop. Then download everything from desktop to your hard drive and unlink the business. Then I think you should be able to delete the files from their dropbox. The only thing is making certain you have every file fully downloaded and the uncertanty if the admin is able to reactivate your deleted files from the dropbox trash unless you can convince them to delete your account.

I haven't heard back from support, I imagine it will be several days?

Headaches! We have our files downloaded. I was able to download everything directly from the "team" account.

Can you use the linked account to control your merged account ie. delete it? I think unlinking from the business only removes your personal account from it - is that right? The Admin can undelete items - unfortunately. Otherwise, they sit there for 30 days before being deleted permanently. I think 30 - I read it somewhere recently but am not 100%. 

Oh I'm glad to hear that! Just make sure you've got those files in a place separate from the dropbox folder or when the admin deletes your account they'll disappear. Unfortunately only an admin can delete your account from their team folder, ugh.

It is also the admin that can only permanently delete files. I mean, makes sense. If your account wasn't hijacked.