Your friends are messaging you about strange links you never sent. There's a Dropbox email about a sign-in from a country you've never visited, and when you try to log in, your password suddenly doesn't work. That sinking feeling is real, but so is the path back. Dropbox has built-in tools to confirm what happened, lock intruders out, and in most cases return your files to exactly how they were. Work through the actions below in order, starting with the fastest fixes, and you can usually take back control without losing your data.
Before you touch anything, one rule keeps you safe throughout this process. Always start recovery on a device, browser, and network you have used to sign in to Dropbox before, since Dropbox treats familiar devices as more trustworthy. Never create a brand-new account to report the hacked one, and never share a verification code, password, or two-factor code with anyone. Genuine Dropbox support will never ask for those, and no legitimate "account recovery service" can do anything you can't do yourself for free.
Run Security Checkup the Moment You Can Still Sign In
If you can still log in, the single most efficient first move is Dropbox's Security Checkup tool. Go to dropbox.com/security_checkup, or open it by clicking "No" or "I didn't try to sign in" on a Dropbox security email. This one flow walks you through everything an attacker could have touched, so you fix multiple holes in a few minutes instead of hunting through menus.
The Security Checkup tool guides you through five items in order:
- 1.Confirm the account email is still yours and hasn't been swapped.
- 2.Review the computers, phones, tablets, and web browser sessions signed in to your account, and remove any you don't recognize.
- 3.Review linked third-party apps and unlink anything unfamiliar or unused.
- 4.Update to a strong, unique password.
- 5.Review your 2-factor settings, including authenticator apps, phone numbers, and security keys.
Treat anything unfamiliar in that list as hostile and remove it. An attacker often leaves behind a connected app or a lingering browser session so they can return after you change your password, and Security Checkup is designed to surface exactly those leftovers.
Change Your Password and Cut Off Every Other Session
Whether or not you ran the full checkup, set a fresh password right away. While logged in at dropbox.com, click your avatar (your profile picture or initials), click Settings, open the Security tab, and click "Change password." Dropbox emails a reset link so you can set the new one. One important detail. You cannot reset or change your Dropbox password in the mobile app, so do this in a web browser.
Choose a password you don't use on any other service, and never share it with anyone. Reusing a password is how many of these break-ins happen in the first place, so a unique one closes that door for good.
Changing the password is only half the job, because anyone already signed in elsewhere can stay there. Still in Settings then Security, look under Devices and click the trash can icon next to any device you want to log out of remotely. Logging out a computer stops it from syncing further changes until it signs back in. Logging out a phone or tablet blocks access to your files, including offline files, from that device until it signs in again. If you're on a paid plan and a computer was lost or stolen, you can also tick "Delete files from [account] Dropbox the next time this computer comes online" to remote-wipe it.
Locked Out Already Start With Forgot Password
If the attacker already changed your password and you can't get in, you don't need support yet. Go to dropbox.com/login, enter the account email, and click Continue, then click "Forgot your password?" beneath the Password field. Re-enter your email and submit. Dropbox sends a reset link from no-reply@dropbox.com, so check your spam folder if it doesn't arrive promptly. You can also start directly at dropbox.com/forgot.
This works as long as you still control the email address on the account. Before you type anything, confirm you're on the genuine dropbox.com domain rather than a lookalike page, especially if a message steered you there.
When a Password or Email Change Notice Arrives That You Didn't Make
Got an email saying your password or address was changed, and you didn't do it? Don't click any links inside it. Go directly to dropbox.com and try logging in with your original password.
- 1.If login succeeds, the change likely never happened and the email is probably a phishing attempt. Forward it to abuse@dropbox.com.
- 2.If login fails, reset your password at dropbox.com/forgot using the steps above.
- 3.If both your email and your password were changed and you can't reset, submit a support ticket at dropbox.com/support. If you receive an automated reply, reply to it confirming you completed these steps.
The instinct to click the "secure your account" button inside an alarming email is exactly what attackers count on. Navigating to dropbox.com yourself, by typing the address, sidesteps that trap entirely.
Getting Past Two-Factor When Your Phone Is Gone
If two-factor authentication is blocking you because you lost your phone or changed your number, you still have several routes in. In the sign-in verification window, click "Having trouble getting a code?" Then choose one of the following:
- 1."Enter the emergency backup code," then type one of your saved 8-digit codes.
- 2."Text my backup phone," if you added a backup phone number under the Security tab's Backup method.
- 3."Send me a notification," which pushes a prompt to a device still logged in to Dropbox.
A recovery email, if you added one, can also receive a code. Separately, a trusted computer running the Dropbox desktop app can log you in through the Dropbox tray or menu-bar icon. If none of these methods work, contact Dropbox Support. Dropbox lists no guaranteed self-service path when you've lost all backup methods and email access at once, which is exactly why the lockdown steps later in this guide matter so much.
If You Still Can't Get In Open a Support Ticket
When forgot-password and the two-factor fallbacks all fail, contact Dropbox Support at dropbox.com/support. This is the right destination for both-credentials-changed situations and for anyone fully locked out, so don't waste time looking for a separate "recovery form."
If your account is part of a Team or Business plan, also check your single sign-on (SSO) status and contact your organization's admin or IT department. An admin can reset a member's password from the Admin Console, found in the left sidebar under Members. One honest caveat. Dropbox notes it may be unable to help you regain access if you previously shared account access with another person, so factor that in if you handed credentials to someone in the past.
Lock the Account Down So It Can't Happen Again
Once you're back in, harden the account so a stolen password alone can never be enough. At dropbox.com, click your avatar, click Settings, open the Security tab, and switch "2-factor authentication" to On, then re-enter your password.
When you enable it, Dropbox issues 10 emergency backup codes. Each code is 8 digits and can be used only once. Save them somewhere safe. In the Security tab, click "Show" next to "Recovery codes" and enter your password to view them. Add a backup phone number under Backup method as well, so you have a fallback if you lose your primary device. One thing to remember. Turning 2FA on or off resets and invalidates your existing backup codes, so re-save a fresh set after any change.
Add a Recovery Email as Your Safety Net
A recovery email is the difference between a quick self-reset and a slow support ticket the next time something goes wrong. At dropbox.com, click your avatar, click Settings, and open the Security tab. Next to "Recovery email address," click "Add a recovery email," enter your Dropbox password, and submit, then enter the backup email address.
Verify it with the 6-digit code Dropbox sends to that address. Once verified, the recovery email can be used to reset your password and to receive security codes if you ever lose access to your primary email, closing the worst-case gap where you have no way back in at all.
Check Your Files for Damage and Roll Back if Needed
With the account secured, see what the intruder actually did. If you spot unfamiliar files, click the file and choose "Version history" to see who added it, and check the Sharing page for any unexpected shared folders you didn't create.
If files are missing, recover them. On a paid plan you have a stronger option. Dropbox Rewind can roll your entire account back to an earlier point in time, undoing a batch of malicious deletions or changes in one move rather than file by file.
Frequently Asked Questions
How long does it take to recover a hacked Dropbox account?
Dropbox does not publish an official timeline for recovering a hacked or locked account, or for a support response. If you can still log in, the self-service steps (Security Checkup, password change, logging out sessions) take effect immediately. Cases that require a support ticket at dropbox.com/support depend on Dropbox's review.
Can I reset my Dropbox password from the mobile app?
No. You cannot reset or change your Dropbox password in the mobile app. Use a web browser, sign in at dropbox.com, and go to your avatar, then Settings, then the Security tab, then "Change password," or use dropbox.com/forgot if you're locked out.
What if I lost my phone and all my two-factor backup codes?
In the sign-in verification window, click "Having trouble getting a code?" and try a saved emergency backup code, your backup phone, a notification to a logged-in device, or a recovery email. A trusted computer with the Dropbox desktop app can also sign you in. If none of these work, contact Dropbox Support at dropbox.com/support. Dropbox lists no guaranteed self-service option once every backup method and email access are gone.
I got an email saying my password was changed but I didn't change it. What should I do?
Don't click links in the email. Go directly to dropbox.com and try logging in with your original password. If it works, the email is likely a phishing attempt, so forward it to abuse@dropbox.com. If it fails, reset your password at dropbox.com/forgot, and if both your email and password were changed, submit a support ticket at dropbox.com/support.
Can someone undo my password change if they hacked the account?
Possibly, which is why two-factor authentication matters. After you regain access, turn on 2FA in Settings then Security, save the 10 single-use 8-digit backup codes, add a backup phone, and add a verified recovery email. With those in place, a stolen password alone is no longer enough to take over the account again.
Are paid third-party Dropbox recovery services worth it?
No. Avoid any paid third-party "account recovery service." Everything needed to recover and secure a Dropbox account is available to you for free through Dropbox's own tools and Dropbox Support, and no outside service can do more than you can yourself. Never share your password, a verification code, or a two-factor code with anyone claiming they can help.
