Software bug exposed Dropbox users’ accounts to others


This article was originally on a blog post platform and may be missing photos, graphics or links. See About archive blog posts.

The accounts of people using Dropbox, a cloud computing service, were accessible to other users during a nearly four-hour period Sunday.

The breach was caused by a software update that affected the authentication mechanism of the service, the company said. Dropbox allows users to store files -- which can be anything including documents containing personal data and picture files -- on remote servers that are accessible from anywhere in the world.


Dropbox, which announced in April that it had more than 25 million users, said in a blog post Monday that only 1% of its users logged in while the window was open. It said it was ‘conducting a thorough investigation of related activity to understand whether any accounts were improperly accessed.’

‘This should never have happened,’ Arash Ferdowsi, the company’s founder, said in the post. ‘We are scrutinizing our controls and we will be implementing additional safeguards to prevent this from happening again.’

The bug exposed Dropbox user accounts beginning about 1:54 p.m. Pacific time and was discovered by the company at 5:41 p.m. Five minutes later it had fixed the problem, Dropbox said.

Dropbox, which has boasted that it can safely keep people’s files online, has to take care of its security, said Tin Zaw, the Los Angeles chapter president of the Open Web Application Security Project, a nonprofit organization focused on raising security awareness among Internet users and developers.

‘Small companies are often under intense pressure to grow, and they sometimes forget about security,’ he said. ‘Security is very important in cloud computing and Dropbox should’ve done a better job.’

Dropbox recently also came under scrutiny when it updated its terms of service, informing users that it would decrypt users’ files and give the government access to them if asked. Zaw said that was comparable to storing something in a bank safe-deposit box, but letting the bank keep both the box and the key to access it.


‘If you want to keep something secret, you put it in the box and lock it, but you keep the key yourself,’ he said.


Teen hacking suspect arrested in U.K.; LulzSec denies he’s a member

Sega hit by cyber attack; 1.3 million user accounts accessed

Hacker groups LulzSec and Anonymous in pact to attack government websites

-- Salvador Rodriguez