Dropbox Accidently Turned Off Password for 4 Hrs
Thanks to a bug introduced by a code update, the entire world had access to Dropbox accounts for just under four hours.
Monday Dropbox CTO Arash Ferdowsi revealed in a blog that a code update implemented on Sunday at 1:54pm PST introduced a bug that affected the service's authentication mechanism. The bug was discovered at 5:41pm PST and fixed precisely at 5:46pm. This meant that for nearly four hours, accounts were left wide open for anyone to access without a password.
According to Ferdowski, only 1-percent of its user base actually accessed their accounts during that sensitive window. However, as a precaution, the company ended all logged in sessions until the bug was eradicated.
"We’re conducting a thorough investigation of related activity to understand whether any accounts were improperly accessed," Ferdowski said. "If we identify any specific instances of unusual activity, we’ll immediately notify the account owner."
By 10:46pm Monday night, Ferdowski said that the company had been working "around the clock" to gather additional data and continue to review logs for potentially unauthorized activity. Users would thus be notified within the next few hours if login activity was detected during the four-hour "open house" period. By 2:49am Tuesday morning, the accounts that logged in during the period had been emailed with additional activity-related details for review.
Dropbox is one of many cloud storage solution that offers a free 2 GB basic service and additional storage for a monthly fee. Users can automatically upload files to their cloud storage directly from a desktop, laptop or mobile device (iOS, Android) once the media is saved in a specific folder. Files can be kept totally private, shared only with family members, or offered to the public. They're also kept in sync with other devices authorized with the Dropbox account.
That said, unauthorized access to a Dropbox account means that the "snoop" had access to the account holder's email address, credit card and/or paypal information, and whatever is stored in the cloud. "This should never have happened," Ferdowski said. "We are scrutinizing our controls and we will be implementing additional safeguards to prevent this from happening again. We are sorry for this and regardless of how many people were ultimately affected, any exposure at all is unacceptable to us."
Dropbox users with any questions or concerns can contact the company at support@dropbox.com.
- Sweat Detecting Clothing Cools You Down
- First Android 3.2 Tablet is Unveiled By Huawei
- Sony Reveals New PS3 for Japanese Market
- 1.3 Million Affected By Sega Pass Hack
- Report: Facebook Music is More Than Just Spotify
- uTorrent, BitTorrent Sued For Patent Infringement
- LulzSec, Anonymous Ganging Up on Governments, Banks
- Watch Concept Tells You How Drunk You Are
- Moscow Unveils Terrorist Proof Portapotties
- Google Taking On Skype: Video Chat in Chrome
- This Robot Can Beat You at Pool
- Al Gore: Games Can Spark Real-Life Change
- Nokia Reveals Its First MeeGo Device, the N9
- Take Two: Duke Nukem Series Will Continue
- Android 3.2 is Shipping This Summer
- Watch Concept Helps Visually Impaired Tell Time
- Verizon Tiered Data Plans Will Start at $30/2GB
- Solar Tree Charges Electric Vehicles
- Honda Begins Testing Its New E-Scooters
1. Disposable Greendot Prepaid Card ✓
2. Home data storage ✓
3. Owning your own storage, priceless!
horrifying... just uninstalled it
Microsoft's "Windows Live Mesh" is doing the same stuff, but better.
All these security breaches (accidental or otherwise) are just terrifying. Absolutely terrifying.
The cloud is meant to be the future? No thanks - count me out.
Maybe I'm just careless, but I'm not overly worried about such a thing. The window of opportunity is rather small, and nobody in their right mind would store seriously sensitive data in such a place anyway.
Maybe I'm just careless, but I'm not overly worried about such a thing. The window of opportunity is rather small, and nobody in their right mind would store seriously sensitive data in such a place anyway.
I agree, but it's a worrying state of affairs that organisations are asking people to embrace "The Cloud" and move their lives online when they're clearly incapable of actually keeping data secure and private.
If you're going to store millions of people's private details and bank account data, you'd better at least be sure that it can't fall into the wrong hands - not to mention in plain text format, via a simple SQL injection attack - the most *preventable* form of attack in existence.
Sony had a case of lax security, Dropbox have just been plain clumsy with their code. Either way, it's an absolute disgrace.
I agree that they should be more carefull with security. But I'm not naive enough to think that anything can be completely safe. I mean I've got 10TB of storage at home. That means approx 6GB of data I wouldn't want to lose. Private data. I've taken what security precautions I'm capable of with regards to network security, but any idiot could break down the door and pick up my server while I'm at work. It's a risk like that sony faced. It can be made more difficult, but never truely prevented.
The dropbox case is the equivalent of not even locking the door though, which never should happen. But then again. We're all human, and we all make mistakes. We just have to be damn sure we don't make the same mistake twice. And so far they've only gotten the first strike. And at least they're admitting to making it in the first place. I'm not so sure I would've.
This is why you don't trust anyone else with your data. Read the T&C's you sign up to for any of this cloud shit. When (not if) they screw up, they can just shrug their shoulders. They have no responsibility or duty of care whatsoever. I understand *why* they would want to limit their liabilities - but should you use any cloud service you should do so under the positive assumption that you will be monitored constantly, everything will be available to your own and the US government plus any hacker with enough time and luck. Then you should assume that whenever you need to access anything urgently that the service will be down and that everything can and will be deleted at the most inopportune moment, never to be seen again.
In other words these are services for people who don't give a crap, run by people who definitely don't give a crap.
DropBox encrypts all files that they store, but they have a 'back door' to be able to decrypt those files.
For better security, encrypt your files before putting them in your DropBox. EncryptOnClick is freeware that can do so. And the related backup/synchronization software can move files in and out automatically.
(Vendor comment)
Another security incident in the cloud computing world.
i think the fee of cloud storage just got a lot higher.
so people, you REALLY think the cloud is the future when something like this happens.
yeah a WD 1.5TB external HDD for a one time fee of $70 at microcenter
can't wait to see lulzsec take down a cloud.
rain on a parade = bummer
hackers reigning on cloud = nightmare
I had a Dropbox account for a few weeks, but I wasn't happy with how it connected with my Android phone. With SugarSync I get 5GB free and a very nice interface on Desktop, Web, and Mobile Apps. Now, would I store anything of remote importance there? Heck no! But backing up music, ROM's, and pictures on my phone? Heck yes!
Also, I'm suddenly feeling the urge to buy a few more $80 2TB drives...
Can't Tom's do something about the spammers, such as :
gdfk
ghjnnmm
wuyu2070
Can't Tom's do something about the spammers, such as : gdfk ghjnnmm wuyu2070
They said no. Unfortunate.
They said no. Unfortunate.
"Hehe uhm, Beavis? Hehe, yeah, Butthead? I'm not sure yet, but hehe, but I think this sucks!"
Sorry, but this stupid spam gets to a point where I just start sounding like an imbecile...
The sad thing is this not just a vulnerability of cloud storage, but anything that can be accessed via the internet. Security is not about how secure things are when things go right; it is about when things go wrong, as in the worse case scenario. A bank vault is secure because of the laws of physics. The laws of physics do not get updated, hacked, or mismanaged. Software is constantly updated, hacked, or mismanaged. A person can talk until they are blue in the face about software security, but that is always based on the premise that things go right.
I bet this wont happen again.
another win for CLOUD,
my sarcasm tag got dropped...
Nomadesk will give some more wins for the cloud!
You can virtually shred your files with our Theftguard. Check ittttt... www.nomadesk.com/product/protect/
what is dropbox?
what is dropbox?
JFGI
Ouch, a potentially devastating mistake on their part.
With that said however, I will continue using it. Not only have they been fairly nice with their free accounts, but the Windows integration is also a very nice thing that I appreciate.
Could we kill the "spam" comments. At this rate I'm believing that Toms it getting paid for these "ads".
Dropbox is awesome, I'll continue to use it. Took them 5 mins to fix a bug like that? Impressive. If you put anything on the internets you care about that's not encrypted by you than you're a fool anyways. I'm not really sure why people seem so horrified about this...
Good article – here is another Cloud Storage solution that lets your computer to fully encrypt your files before sending out:
With SugarSync, you get 5GB of cloud storage space with the FREE version, but now there is no restriction to the number of computers you can sync/backup (up from 2).
It gives you the ability to upload and sync any folder on your computer.
It is the only service that offers such a broad device and OS support with apps for BlackBerry, Android, iPhone/iPad, Symbian, not to mention your computer!
You can also stream MP3 music files to your smartphone or computer.
Also if you use the below referral code you get a bonus 500MB extra on top of your Free 5GB!
https://www.sugarsync.com/referral?rf=tbtp0asbw9pt
Hope this helps someone!