Online storage company Dropbox has revealed that up to 25 million accounts were left unsecured for four hours on Sunday.
At 1:54pm Pacific time, the firm made a code update that introduced a bug to its authentication mechanism and didn’t discover the error until 5:41pm.
In the meantime, users were able to log into accounts using incorrect passwords, meaning that anyone could steal data if they knew a particular user’s log-in email address.
Dropbox says that less than one per cent of its users logged in during that period. On its blog, the firm commented: “As a precaution, we ended all logged in sessions. We’re conducting a thorough investigation of related activity to understand whether any accounts were improperly accessed. If we identify any specific instances of unusual activity, we’ll immediately notify the account owner.
“This should never have happened. We are scrutinizing our controls and we will be implementing additional safeguards to prevent this from happening again.”
The bug was discussed on the Dropbox forums, but didn’t seem to spread too much further at the time. One dreads to think how many accounts would’ve been hacked if LulzSec had found out…