Dropbox drops security
Recently, hackers have been in the limelight for breaking into companies’ servers to steal users’ personal information. Yet Dropbox, which provides online storage, needed no help putting its users’ data at risk: the company has admitted that for several hours on Sunday, an update to its code caused a security glitch that allowed people to log into any Dropbox account by typing in any password at all.
In other words, while hackers have pried open the doors to data stored by Sony, the Senate, and other high-profile organizations, Dropbox, for four hours, left the doors completely unlocked.
Between 1:54pm PT, when the code update that introduced the bug was pushed live, and 5:46pm PT, when the issues was corrected (the flaw was discovered at 5:41pm PT), virtually any Dropbox account was accessible to any other user, making any documents stored on the system potentially visible to strangers.
Dropbox acknowledged the security bug in a blog post published Monday, writing, “a very small number of users (much less than 1 percent) logged in during that period, some of whom could have logged into an account without the correct password. As a precaution, we ended all logged in sessions.” Dropbox said it had contacted users whose accounts had been logged into before the authentication bug had been corrected to offer them “additional activity-related details for review.”
The company offered more details on how it was addressing its misstep:
We’re conducting a thorough investigation of related activity to understand whether any accounts were improperly accessed. If we identify any specific instances of unusual activity, we’ll immediately notify the account owner. […] This should never have happened. We are scrutinizing our controls and we will be implementing additional safeguards to prevent this from happening again.
The Dropbox authentication bug comes as companies such as Apple, Google and Amazon are encouraging consumers to move more and more of their data to the cloud, storing it on remote servers that companies promise are reliable and secure. But these services are appealing only insofar as they are trustworthy and accessible, and security scares such as the one suffered by Dropbox are likely to turn users away from the notion of storing their information remotely, despite the conveniences it may offer.
Not only have companies struggled to keep their systems secure, but many have stumbled when it comes to communicating with their customers about breaches. Sony, for example, waited days before admitting that a cyber attack had put over 100 million users’ information at risk.