Dropbox security bug left accounts unprotected

A security breach at file-sharing service Dropbox may have allowed unauthorised users to log into subscribers' accounts without providing the correct password.

In a post on the company's official blog yesterday, Dropbox admitted that the breach had been the result of a bug in an update applied the day before. The post explained:

"Yesterday we made a code update at 1:54pm Pacific time that introduced a bug affecting our authentication mechanism. We discovered this at 5:41pm and a fix was live at 5:46pm. A very small number of users (much less than one per cent) logged in during that period, some of whom could have logged into an account without the correct password. As a precaution, we ended all logged in sessions."

The site provided an update at 10:46pm PST to say it was investigating potential security breaches:

"We're working around the clock to gather additional data and continue to review logs for potentially unauthorized activity. We aim to notify users who had login activity during the period within the next few hours.

"We are sorry for this and regardless of how many people were ultimately affected, any exposure at all is unacceptable to us. We will continue to provide regular updates."

Between them, Dropbox's 25 million users save more than 200 million files to the online file-sharing service every day - so there's a good chance that the four-hour security lapse may have affected a significant number of people. Even if was as "less than one per cent" of users, as Dropbox says, this could still mean as many as 250,000 accounts were at risk.

Privacy researcher Christopher Soghoian - who recently made an official complaint to the US Federal Trade Commission alleging that Dropbox has lied to users over its security - was quick to publicise the problem on hacker hangout Pastebin.

Soghoian went on to claim on Twitter that he had received reports of users gaining access to Dropbox accounts without authorisation, and later taunted, "Dropbox: "We use the same secure methods as banks and the military." Which bank? Citi?", referring to a recent security breach which saw Citibank admit that hackers had stolen data from 36,000 account holders.

As yet, no estimate has been given as to how many users' accounts may have been compromised - other than ours.