Dropbox Accounts Were Accessible by Anyone for Four Hours on Monday

A code update left Dropbox, the popular cloud storage service, password-free for about four hours on Monday afternoon.

During this time, anyone could access any of Dropbox’s 25 million user accounts by typing in any password.

The lapse occurred between 1:54 p.m. to 5:46 p.m. PT. According to Dropbox’s blog post, “much less” than one percent of its members logged in during this period. However, the company still isn’t clear whether any improper behavior occurred during the time. If you suspect any strange activity on your account, you can email support@dropbox.com.

“This should never have happened. We are scrutinizing our controls and we will be implementing additional safeguards to prevent this from happening again,” the company wrote in a rather vague blog post.

The bug was first posted on Pastebin, another storage ground often used by programmers, by cybersecurity researcher Christopher Soghoian, who is pursuing a doctorate at the University of Indiana. An unnamed person tipped him off when he realized that even obvious typos made during his password entry could log him into his account.

Soghoian was most likely contacted because he has been scrutinizing Dropbox’s security system for months. In May, he filed an FTC complaint against the company for misrepresenting its security level, and using a type of encryption technology that put its users at risk of data breaches and identity theft.

Full Story Via PCmag.com