The other day we mentioned an openly available tool, Dropbox Reader, that is designed to circumvent security measures on your DropBox account. We are now hearing that over the weekend, no tool was needed to access DropBox accounts.
For a brief period of time, users could log into accounts using any password. Just type in an email address and wing it with a password and you were in. DropBox has confirmed this breach and states it left everything vulnerable from 1:54pm PDT to 5:46pm PDT this past Sunday (06/19/2011). The fix only took five minutes to put into place once DropBox became aware of things.
In a statement on DropBox's blog, the cloud storage service reports,
"We’re conducting a thorough investigation of related activity to understand whether any accounts were improperly accessed. If we identify any specific instances of unusual activity, we’ll immediately notify the account owner. If you’re concerned about any activity that has occurred in your account, you can contact us firstname.lastname@example.org.
This should never have happened. We are scrutinizing our controls and we will be implementing additional safeguards to prevent this from happening again."
If you're a DropBox client, you may want to check your account to see if any files were accessed during the time frame or have gone missing. Changing your password might not be a bad idea either.
Glitches in security happen but it sure does seem like DropBox has been snake bitten here lately.