Yesterday, the popular cloud storage service Dropbox accidentially disabled password protection for all accounts, leaving user’s files open to the public and modifiable for about 4 hours. Dropbox serves around 25 million users and while all their accounts were accessible, Dropbox asserts that only less than 1% of accounts were active during that period, which is not necessarily indicative of foul play. They are still investigating whether any of those cases might have been unauthorized access.
The error was caused when Dropbox changed some code at 1:54 PST and was discovered four hours later. Upon discovery, all active sessions were killed and users who were active during the password-free period were notified and advised to check their use history. But that’s where the buck seems to have stopped. As of now, Dropbox has yet to make a public statement on the matter. Neither their twitter nor their homepage makes any reference to the breach, which has some users a little upset.
Macworld quoted Dropbox user Tony Webster as saying
“Every single Dropbox customer should be getting an e-mail right now about this—not hearing about it from other sources or from a seemingly calm-toned blog post. Dropbox hasn’t even tweeted about this a full 24 hours after it happened. I know I would like disclosure of every single action happening on my Dropbox account during the four hours anybody could access it, and I need that information immediately.”
In the wake of the PSN fiasco, when crucial information was held a little to close to the chest for a little too long, it’s understandable that users want to know about security breaches. On the other hand, Dropbox did take action by notifying those who might have been directly affected by the error. If you weren’t logged on during the security failure, have no fear, your todo lists, papers and that novel you’ve been working on are all safe and sound now that password protection is back up. But if you are a little more wary about keeping important, confidential or important documents on Dropbox from now on, no one will blame you.
