Dropbox recently restored years-old "deleted" files for some customer accounts by accident, drawing attention to a potential privacy problem.
Files supposedly deleted by customers from the company's servers were instead retained for as long as eight years, according to several reports over the past few weeks. The company apologized for what it has described as "a bug" as well as a botched software fix that led to the unintended document recoveries.
Normally, Dropbox permanently wipes files—eradicating the data from its servers—60 days after a person deletes them, in accordance with the company's privacy policy. Something went wrong, in this case, that prevented the company from following through with the process. A Dropbox employee identified only as Ross S., who responded Thursday to complaints posted to the company's "help center" forum, said some files apparently had "metadata inconsistencies," tech jargon that the company neither elaborated upon nor clarified, despite Fortune's inquiries. (Dropbox did not immediately respond to specific requests for information about the number of files or customers affected, nor Ross' full name or title)
Dropbox's engineers "quarantined and excluded" these faulty files from the queue of ones to be permanently deleted until they could fix the problem, Ross said. Then while attempting to implement a solution, the engineers "inadvertently" caused the years-old files to resurface from the trash heap and be restored to people's accounts. "This was our mistake," Ross wrote. "It wasn’t due to a third party and you weren’t hacked."
On Sunday, Dropbox promised to sweep the zombie files to oblivion, according to a follow-up note also penned by Ross. The company's engineers planned to roll out an automatic fix designed to clean up the mess later that day, he said. Ross added two caveats: resuscitated files and folders that customers have since edited will remain untouched. And customers who have developed a newfound fondness for their previously deleted documents can request that they be permanently restored by Dropbox's support team, as long as they do so within 30 days.
"Thanks again for your patience, and we’re sorry for any inconvenience and confusion we’ve caused," Ross said. Over the past few years, Dropbox has moved the vast majority of its cloud infrastructure off of Amazon, a popular cloud computing provider, onto its own custom machines.
