The online data storage service Dropbox rolled out a server update Monday afternoon that unintentionally shut off password authentication for all user accounts. The flaw was eventually fixed, but for about four hours there wasn’t any password protection for all of the company’s customers.
Dropbox lost security controls yesterday
Dropbox updated its server code at 1:54pm pacific time on June 20, which introduced the bug that dropped password requirements for logging into user’s accounts. The security issue was discovered at 5:41pm, and fixed at 5:46pm.
The company said that it emailed all users that were logged in to their Dropbox accounts during the unsecure window.
“We’re conducting a thorough investigation of related activity to understand whether any accounts were improperly accessed. If we identify any specific instances of unusual activity, we’ll immediately notify the account owner,” Dropbox CTO Arash Ferdowsi said on the company’s blog. “If you’re concerned about any activity that has occurred in your account, you can contact us at [email protected].”
Dropbox users can check their activity to see if any unauthorized file transfers or access has occurred by logging into their account on the Dropbox Web site, then clicking the Events tab.
According to the company, about one percent of its users were logged in during the security incident.