Dropbox Accidentally Left User Data Unprotected

| News

The online data storage service Dropbox rolled out a server update Monday afternoon that unintentionally shut off password authentication for all user accounts. The flaw was eventually fixed, but for about four hours there wasn’t any password protection for all of the company’s customers.

DropboxDropbox lost security controls yesterday

Dropbox updated its server code at 1:54pm pacific time on June 20, which introduced the bug that dropped password requirements for logging into user’s accounts. The security issue was discovered at 5:41pm, and fixed at 5:46pm.

The company said that it emailed all users that were logged in to their Dropbox accounts during the unsecure window.

“We’re conducting a thorough investigation of related activity to understand whether any accounts were improperly accessed. If we identify any specific instances of unusual activity, we’ll immediately notify the account owner,” Dropbox CTO Arash Ferdowsi said on the company’s blog. “If you’re concerned about any activity that has occurred in your account, you can contact us at support@dropbox.com.”

Dropbox users can check their activity to see if any unauthorized file transfers or access has occurred by logging into their account on the Dropbox Web site, then clicking the Events tab.

According to the company, about one percent of its users were logged in during the security incident.

Sign Up for the Newsletter

Join the TMO Express Daily Newsletter to get the latest Mac headlines in your e-mail every weekday.

Comments

ilikeimac

Yikes! I have no email, but there probably wasn’t any activity on my account during the time period in question. If you’re storing sensitive information on Dropbox, you should definitely be encrypting it. (I hear good things about TrueCrypt, but the instructions sound complicated.)

Joe Krahn

A properly designed backup service would support encryption so that access is meaningless without the private encryption key. The only reason not to is for either companies or the government to snoop through your data. Maybe the government is discouraging encryption?

webjprgm

A properly designed backup service would support encryption so that access is meaningless without the private encryption key. The only reason not to is for either companies or the government to snoop through your data.

So is there no service like Dropbox that includes encryption? If not, why don’t some people make a Y-combinator business out of that idea? Dropbox and Mozy sure took off fast enough.

Hmm, on Mozy’s website they say this:

All user data is encrypted locally with military-grade encryption prior to transfer via a secure SSL connection. Users can choose a managed encryption key or choose a personal key for added security.

Though as far as I can tell, Mozy is a paid online backup service whereas Dropbox is a free (at least entry level) online hard disk.  In the one case you just keep a backup copy of all your data offsite, in the other case you actually use the online storage for data mobility. So they aren’t competitors.

Anyone know of other Dropbox-like services?  This is the second security issue with Dropbox, the first one being their locally-stored token that, if copied, would let any computer access all files without a password.  I don’t like putting my data in insecure places. I have a small amount of sensitive data there that is encrypted, but I don’t like the idea of letting someone easily get it and try to crack the encryption or password.

Log-in to comment