Dropbox accounts left completely unprotected for four hours

A flawed code update over the weekend botched the password authentication component of Dropbox on Sunday, leaving the popular cloud storage service essentially unprotected for four hours. As reported by PC Magazine, users logging onto Dropbox between 1:54 pm and 5:45 pm on Sunday would have been able to access all the files stored in any of the 25 million accounts on Dropbox--even without typing in a password or with the wrong password.

According to InformationWeek, the flaw was made public by security researcher Christopher Soghoian after receiving a tip from a unidentified Dropbox user who found himself able to log into his account in spite of obvious typos when keying in his password. The error was fixed about five minutes after Dropbox was notified.

In an update posted on the company's blog, Dropbox founder Arash Ferdowsi admitted that the error "should never have happened."  He wrote: "We are scrutinizing our controls and we will be implementing additional safeguards to prevent this from happening again." This fiasco is certainly a heavy blow to the reputation of the company, which is still recovering from allegations in an FTC complaint just last month that it lied to users about its data security.

For more on this story:
- check out this article at InformationWeek
- check out this article at PC Magazine
- check out this article at Examiner.com

Related Articles:
Dropbox faces FTC complaint that it lied to users about data security
Security researcher questions design of Dropbox authentication
Dropbox hits version 1.0
Fuze Box Brings Complete Webinar Support and Enhanced Dropbox