14 DAY TRIAL // Dropbox is going through a security firestorm after it accidentally introduced a bug that allowed users to access other people's accounts without a password.
"Yesterday we made a code update at 1:54pm Pacific time that introduced a bug affecting our authentication mechanism. We discovered this at 5:41pm and a fix was live at 5:46pm," the company explains on its blog.
According to Dropbox co-founder and CTO Arash Ferdowsi, less than one percent of the service's users logged in during that period of time.
As soon as the problem was discovered all active sessions were terminated in order to prevent any abuse. The company is analyzing the logs to determine if any accounts were accessed without authorization and plans to notify their owners.
Considering that Dropbox has over 25 million users, the number of sessions to be investigated are between 125,000 (0.5%) and 250,000 (1%). However, this choice of only notifying affected users backfired as people learned about the compromise from news sites.
Understandably, this didn't make them very happy and they've taken to the forum to express their disapproval of how the situation was handled.
"Why didn't they email out all the customers to let them know as soon as it was discovered?," asks one user. "Yeah, i'm a paid up member for over a year. they haven't apologised to me yet," another responds.
"Nobody is perfect. It's not what happens, but how we respond to what happens. That's where the Dropbox team (or management) needs to step up. By responding in a timely fashion with all cards on the table," says a pro user named Ted.
When cloud-based password management service LastPass recently suspected a compromise it immediately notified everyone and enforced special measures. While the incident itself made some users unhappy, the company gained the admiration of many for being sincere and proving itself capable of acting swiftly to mitigate security risks.
"This should never have happened. We are scrutinizing our controls and we will be implementing additional safeguards to prevent this from happening again," Ferdowsi said.