Dropbox admits it let anyone sign in as anyone on its cloud

CLOUD STORAGE SERVICE Dropbox has admitted to a major security blunder that let anyone sign in as anyone else on its cloud storage service, potentially exposing millions of accounts and documents.

The problem arose after the Dropxbox software team made an update to its code Monday morning, which removed its user authentication. Rather than this being an outright hack, it was more like Dropbox shooting itself in the foot by removing the lock from its front door, letting all and sundry enter.

The lack of user authentication was in place for roughly four hours before Dropbox realised what had happened, but as soon as it did it got a fix in place within five minutes. The problem is that four hours is a long time for users' personal details and documents to be available for the taking by unauthorised users.

Dropbox claimed that less than one per cent of its userbase logged in during this security-free time period, but as a precaution it ended all sessions to force users to log back in again. This will have kicked people out of accounts that they were not supposed to be in.

The company said it is launching a thorough investigation to see if any accounts were accessed inappropriately. It said it will immediately notify a user if any unusual activity was logged on their account, and asked users of its service to report suspicious activity to the Dropbox support team.

The team worked into the wee hours of the morning to log and analyse activity data on the affected accounts, which was then emailed to the respective users.

Dropbox apologised for this significant mistake, admitting the exposure was "unacceptable". It said, "this should never have happened", and it promised to review its controls and implement new safeguards to prevent it from happening again.

Security is becoming an increasing concern across the world after a series of hacks by groups like Anonymous and Lulzsec, but this embarassing error from Dropbox shows how easy it can be to lower your shields and put data at risk. It raises some serious questions about how trustworthy the cloud really is to keep documents secure and it is a big wakeup call for Dropbox and all the other cloud providers. µ