Online storage service Dropbox accidentally turned off passwords for four hours, potentially exposing data belonging to its 25 million customers to unauthorized users.
The breach occurred when the company applied a code change at 4:54 p.m. EST on June 19 that caused problems with the authentication mechanism, Arash Ferdowsi, Dropbox CTO and founder, wrote in the company blog June 20. The problem was discovered about four hours later and Dropbox killed all of the sessions of those who were logged in and accessing the data.
The password issue allowed anyone in the world to access any of the 25 million accounts and the information stored inside by typing in any string as the password. The bug was possible because Dropbox handles encryption and decryption on its servers instead of the individual user computers. Since it holds the encryption key, it controls who can open the files, not the user.
"This should never have happened. We are scrutinizing our controls, and we will be implementing additional safeguards to prevent this from happening again," Ferdowsi wrote in his blog.
The issue was fixed at 8:46 p.m. EST, five minutes after it learned of the issue, according to Ferdowsi. The company also notified all those who had logged in during that four-hour window and asked them to review their account activity details. Concerned users can also directly contact Dropbox either through firstname.lastname@example.org or email@example.com, the company said.
"This kind of event underscores what a lot of people have been saying for a while-no cloud provider is immune from making the same basic administration mistakes that all other organizations make," Geoff Webb, senior product manager at Credant Technologies, told eWEEK. The difference for cloud providers is that when a problem occurs, it affects a bigger user base. Much of the data is "probably not sensitive at all," but considering many enterprises rely on the service to store business information, having accounts unprotected for several hours increases the potential of a damaging data breach, Webb said.
Much less than one percent of the accounts were accessed during that four-hour period, according to Ferdowsi. It is still investigating whether any unauthorized users improperly viewed those accounts.
"We're conducting a thorough investigation of related activity to understand whether any accounts were improperly accessed," Ferdowsi wrote.