Okay Geek Farm
Your Dropbox account was unlocked for 4 hours last weekend, anyone could access it
Brandon Davenport
Dropbox is one of my favorite services, and I am sure many of our readers have been using Dropbox for a very long time. We have managed to trust Dropbox with our files stored on their servers, and for the most part they seemed to have been pretty proficient in keeping them safe. Dropbox was such a wonderful service… until last weekend when their lack of attention to security became blatantly obvious.
Essentially what happened was a “bug” started causing trouble at 1:54pm on Sunday, but the Dropbox team didn’t seem to notice at all. They had recently performed a code update, obviously hadn’t tested a single thing (besides basic functionality), and pushed it live to their 25 million users. It wasn’t until 5:41pm (4 hours later) that the bug was found which comprised all user authentication, and only then the team took action — That means your Dropbox account was completely open and publicly accessible for 4 hours — somebody could have logged into your account using any password.
Quote from Official Dropbox Blog
Hi Dropboxers,
Yesterday we made a code update at 1:54pm Pacific time that introduced a bug affecting our authentication mechanism. We discovered this at 5:41pm and a fix was live at 5:46pm. A very small number of users (much less than 1 percent) logged in during that period, some of whom could have logged into an account without the correct password. As a precaution, we ended all logged in sessions.
We’re conducting a thorough investigation of related activity to understand whether any accounts were improperly accessed. If we identify any specific instances of unusual activity, we’ll immediately notify the account owner. If you’re concerned about any activity that has occurred in your account, you can contact us at support@dropbox.com.
This should never have happened. We are scrutinizing our controls and we will be implementing additional safeguards to prevent this from happening again.
No matter how many people this affected…
Dropbox stresses that “much less than 1 percent” of their users logged in during that period, and that may be true (there isn’t any control number to judge by), but it doesn’t matter if this effected anyone at all — the problem is that Dropbox was careless enough to allow 25 million people’s private data and personal info to be accessible by anyone.
In the end, this event will definitely bring darker times for Dropbox, and it’s going to be extremely hard for them to re-gain the trust of their users. It just seems un-real that a company can leave something like this to go un-noticed for 4 hours, and yet proceed to fix it in 5 minutes.
