Dropbox yesterday announced the discovery of a bug that disabled the company's authentication mechanism. The flaw was introduced in a software update issued over the weekend and allowed accounts to be accessed with any string of text for a password. All accounts were essentially wide open for nearly four hours between 1:54 and 5:41PM Pacific time on Sunday.
Dropbox hasn't revealed precisely how many accounts might have been accessed illegitimately, but the company said less than 1% of its 25 million users logged in during the affected window. We imagine very few of those 250,000 were aware they could've pillaged another person's account, and even fewer would've had the moral ineptitude required to act on that realization.
The company has launched an investigation to pinpoint unusual activity. All users who logged on while the glitch was live should have received an email and you can contact the company (firstname.lastname@example.org) if you sense something fishy has happened with your account. Naturally, Dropbox has apologized about the slipup, but users don't seem too forgiving.
The very first comment to the company's announcement said the incident was "unacceptable" and many subsequent messages carry a similar tone. We think users might have been more accepting of the blunder if it occurred this time last year, but considering the recent rash of cyber attacks, people are expectedly (and rightfully) touchy about their personal security online.
Dropbox is a cloud-based service that allows users to store files online and seamlessly share them across various Internet-connected devices. Unsurprisingly, many users rely on the service to store their sensitive documents. One commenter notes that their Dropbox account contains tax returns. It's unclear if Dropbox will compensate affected users with free premium service.