A code update accidentally removed password authentication for a few hours on Dropbox.
The online storage website told users that a code update had introduced a bug that affected its authentication mechanism. According to a blog post, a ‘very small' number of users (apparently fewer than one per cent) logged in during that period, some of whom could have logged into an account without the correct password. As a precaution, it ended all logged in sessions.
It said: “We're conducting a thorough investigation of related activity to understand whether any accounts were improperly accessed. If we identify any specific instances of unusual activity, we'll immediately notify the account owner.
“This should never have happened. We are scrutinising our controls and we will be implementing additional safeguards to prevent this from happening again.”
It later updated its blog to say that it was gathering additional data and was continuing to review logs for potentially unauthorised activity. “We are sorry for this and regardless of how many people were ultimately affected, any exposure at all is unacceptable to us. We will continue to provide regular updates,” it said.
Frank Kenney, vice president of global strategy at Ipswitch File Transfer, said: “It's unnerving for me to think about the four hours on Sunday when Dropbox left user accounts unlocked and you could access anyone of the 25 million users' accounts and data, including mine. Yes, just type in an email address and use any password you want and it's all yours.
“According to Dropbox there wasn't any nefarious activity but if your company's information was on there, legitimately or illegitimately, you just had a data breach. So I was a breach victim and if I had any Ipswitch IP on the servers, the breach is extended accordingly. To Dropbox's credit, their business is all about collaboration and file syncing, not governed file transfer or managed data at rest. In the end, some of these types of cloud services will eventually get enough of it right to secure their future. Some will last, many will not.”
Ron Gula, CEO of Tenable Network Security, said: “When employees use external cloud-based services for email, communications and file sharing of sensitive data, they expose their organisation to more risk.
“Organisations need to have policies in place to authorise, prevent and/or audit the use of services such as Dropbox. For example, if the file shared via Dropbox was encrypted, Dropbox security may not be an issue. However if the file shared via Dropbox was an employee or customer spreadsheet, then any security issue with Dropbox could result in the disclosure of this sensitive information.”