Online storage company Dropbox has revealed that up to 25 million accounts were left unsecured for four hours on Sunday.
At 1:54pm Pacific time, the firm made a code update that introduced a bug to its authentication mechanism and didn’t discover the error until 5:41pm.
In the meantime, users were able to log into accounts using incorrect passwords, meaning that anyone could steal data if they knew a particular user’s log-in email address.
Dropbox says that less than one per cent of its users logged in during that period. On its blog, the firm commented: “As a precaution, we ended all logged in sessions. We’re conducting a thorough investigation of related activity to understand whether any accounts were improperly accessed. If we identify any specific instances of unusual activity, we’ll immediately notify the account owner.
“This should never have happened. We are scrutinizing our controls and we will be implementing additional safeguards to prevent this from happening again.”
The bug was discussed on the Dropbox forums, but didn’t seem to spread too much further at the time. One dreads to think how many accounts would’ve been hacked if LulzSec had found out…
Advertisement
Related Stories
- iOS update fixes bugs and security flaws May 8th 2012 at 5:45AM
- Microsoft fingers Chinese firm in RDP flaw leak May 4th 2012 at 3:00AM
- Microsoft kills off Windows Live brand May 2nd 2012 at 10:19PM
- Microsoft fixes '0-day' Hotmail flaw Apr 30th 2012 at 12:19AM
- Global Payments breach of 1.5m credit cards Apr 3rd 2012 at 8:29AM
- Hacktivists lifted more data than criminal gangs Mar 22nd 2012 at 11:14PM
- Microsoft accused of leaking attack code Mar 18th 2012 at 9:30PM
- Lulzsec leader Sabu turned by the FBI Mar 7th 2012 at 1:15AM
- Over half of UK companies infected by malware Feb 13th 2012 at 11:57AM
- Google describes 'Bouncer' Android anti-malware system Feb 3rd 2012 at 6:41AM
