Dropbox bug drops passwords, underscoring the cloud's risks

Cloud storage service Dropbox disclosed Monday that all of its users’ files were publicly accessible for nearly four hours on Sunday due a bug in the company’s authentication mechanism. From 1:54 p.m. to 5:41 p.m., anyone could access a Dropbox account without using the correct password.

“This should never have happened,” Dropbox co-founder and CTO Arash Ferdowsi wrote on the company blog. “We are scrutinizing our controls and we will be implementing additional safeguards to prevent this from happening again.”

With 25 million members, Dropbox has emerged as a leader in the growing niche of cloud-storage sites, but the privacy snafu could harm its reputation as a secure place to store files. It also underscores the security risks of cloud services: When all of your files are stored on another company’s servers, can you trust that company to keep your data safe? Many large enterprises have held off on moving documents and services to the cloud because of such concerns.

Ferdowsi wrote that “much less than one percent” of Dropbox users were logged in during the period. Dropbox ended all logged-in sessions when it discovered the vulnerability, and on Tuesday was notifying any users who was logged in during the four-hour period.

Back in April, Dropbox emphasized on its blog that the company was “dedicated to security,” adding that “since the very beginning, we’ve devoted an incredible amount of resources and attention to it.” This latest incident, however, suggests that even an “incredible amount” of work isn’t enough. What may seem like a small oversight can expose all of your customers’ files, and maybe dog your reputation for some time.

Are you a Dropbox user? Have you considered leaving the service after this event?

Photo via Karin Dalziel