Appolicious powers Verizon Educational Tools

Dropbox bug left some accounts accessible without passwords

by Phil Hornshaw

One of the things I like best about my smartphone is Dropbox, a cloud-based storage service that lets me save and share documents and files across multiple devices and even with multiple people. It’s a great way to start working on a file from my PC and pick it up later on one of several other devices, including Android smartphones and tablets and the iPhone and iPad.

But while the service is convenient, it also needs to be really secure. Dropbox makes a point to promote that security among its users and potential customers, but yesterday, a bug in the Dropbox software caused the system to disregard passwords for about four hours. If you knew another user’s email address, theoretically, you could access anything they’d saved into their cloud storage space.

TechCrunch has the story, which details that it was during a code update that Dropbox sent to its software that created the issue at around 1:54 P.M. Pacific, identified at about 5:41 P.M. and fixed about five minutes later. Dropbox said in a blog post that “much less than 1 percent” of users logged-in during that time, so the chances of data being compromised are small, it says. Still, the company is checking logs to make sure nothing was accessed improperly, and will notify any customers whose security seems to have been breached.

Here’s an excerpt from the Dropbox blog that details what to do if you think you’ve been affected:

“We’re conducting a thorough investigation of related activity to understand whether any accounts were improperly accessed. If we identify any specific instances of unusual activity, we’ll immediately notify the account owner. If you’re concerned about any activity that has occurred in your account, you can contact us atsecurity@dropbox.com.

This should never have happened. We are scrutinizing our controls and we will be implementing additional safeguards to prevent this from happening again.”

A further update to the blog states that Dropbox has notified every customer whose account was accessed during that four-hour window, so if you haven’t received a slightly troubling email from the company, your data probably hasn’t been compromised.

This is a tough break for Dropbox, because the company previously has been doing so well. It has been growing quickly over the last year – probably due in some part to its strong support of multiple mobile devices and providing a good deal of services and storage space for free – and TechCrunch reports the company might have a valuation as high as $2 billion. The service works really well, but it’s only as valuable as the amount of customer trust it can earn, because people tend to use it to save important, private information they want to keep secure across multiple devices. Without firm trust that Dropbox files are safe, users will find some other service that can protect their data – or at least seem like it.

The good news for Dropbox users is that the company seems to be well aware that its reputation is on the line with things like this bug, and it has been scrambling to fix it. The Dropbox blog claims additional safeguards are being set up to prevent such a bug from ever happening again. That’s at least a little comforting.