Dropbox dropped the ball on Sunday, when it left its 25 million users’ accounts unlocked for four hours. The cloud-based file storing-and-sharing company attributed the incident to a programming change that introduced a bug into its system, allowing accounts to be opened without proper authentication.
The bug was released at 1:54 p.m. PT, and the issue was identified and resolved four hours later. But during that window, all accounts could be accessed without entering the correct passwords. This means that virtually all documents, files and information stored on the site could be viewed and even taken by any other user.
According to the Dropbox blog, less than 1% of user accounts may have been illicitly accessed. And the company has emailed all users, whose accounts were accessed on Sunday with reports of the activity and information viewed during the time.
From the Dropbox Blog:
[Update - 2:49am] – At this point, the accounts that logged in during the period have been emailed with additional activity-related details for review. If you have any questions or concerns, please contact us at email@example.com.
Naked Security advises, “If your account was accessed, be sure to ask Dropbox for a detailed log of what happened so you can find out what got stolen as well as what got changed. Unauthorised access and unauthorised modification are both bad for your digital well-being.”
The security structure of Dropbox is what led to this breach, and it has come under criticism in the past. The company encrypts all data on its own servers, not on the individual user’s machine with the intent of providing a quick resolution if a person forgets his password. But that leaves the information subject to serious security risks.
Researcher Christopher Soghoian filed a claim with the FTC several months ago, alleging that Dropbox “has and continues to make deceptive statements to consumers regarding the extent to which it protects and encrypts their data.”
Considering that this incident was not the result of a hacker’s attack, and Dropbox compromised its users data completely through internal error, the future of the service is uncertain. One certainty is the displeasure of Dropbox users with this news. Angry commenters have been sharing their frustration on the Dropbox forum.
How does this affect your opinion of Dropbox and other similar storage services? Do you have a Dropbox account that was compromised?