Dropbox admits software bug affected passwords

21 Jun 2011

Popular personal cloud storage player Dropbox admitted that for a period of time yesterday a software bug meant users could have logged into an account without the correct password and as a precaution it ended all logged-in sessions.

Dropbox is the popular app that allows users to drag and drop documents into the cloud and synchronise their Dropbox folder across a number of devices, from iPhones, iPads and Android devices to netbooks and PCs.

It says only a small number of users – “much less than 1pc” – logged in during the period.

“Yesterday, we made a code update at 1.54pm Pacific time that introduced a bug affecting our authentication mechanism,” Dropbox’s Arash Ferdowsi said in the Dropbox blog.

“We discovered this at 5.41pm and a fix was live at 5.46pm. A very small number of users (much less than 1pc) logged in during that period, some of whom could have logged into an account without the correct password. As a precaution, we ended all logged-in sessions.

“We’re conducting a thorough investigation of related activity to understand whether any accounts were improperly accessed. If we identify any specific instances of unusual activity, we’ll immediately notify the account owner. If you’re concerned about any activity that has occurred in your account, you can contact us at support@dropbox.com.

“This should never have happened. We are scrutinising our controls and we will be implementing additional safeguards to prevent this from happening again,” Ferdowsi said.

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years