Dropbox drops the ball, leaves all encrypted user accounts open to any user with no password

Jun 21, 2011
0

Anyone that is in the tech world knows that there is often more than a little apprehension when an update to a service is announced or applied. Often things come off without a hitch, but every now and again an epic fail surfaces and the upgrade turns out to be more of a downgrade. Dropbox is a service that allows users to put files in for sharing that are encrypted and secure on the server and can only be accessed by people that have the user name and password.

Apparently, Dropbox really messed up when it applied an update to the service back over the weekend. Somehow, the update killed the encryption that Dropbox applies and left all the user accounts open to anyone without a password. The user's accounts were accessible on Sunday from 1:54pm to 5:46pm. To make matters worse when Dropbox found out about the issue, they didn’t notify users right away. Dropbox offered no official comment until yesterday and apparently, it still hasn’t emailed individual users to tell what happened.

CTO of Dropbox Arash Ferdowski said that "much less than one percent" of users logged into the service at that time. That would be about 250,000 users. Dropbox reports that when the issue was discovered it forced all users to log out. The company claims that once it is done investigating it will notify users who's accounts were accessed. Forum posts at Dropbox show that users of the service are not at all happy.


Must Read Bits & Bytes