Major Dropbox Security Lapse

Fillado · 21 Jun 2011 at 15:28

Yesterday we made a code update at 1:54pm Pacific time that introduced a bug affecting our authentication mechanism. We discovered this at 5:41pm and a fix was live at 5:46pm. A very small number of users (much less than 1 percent) logged in during that period, some of whom could have logged into an account without the correct password. As a precaution, we ended all logged in sessions.

http://blog.dropbox.com/?p=821

Mattus · 21 Jun 2011 at 16:06

And this kind of thing is why I still don't trust the cloud with highly personal data.

Throrik · 21 Jun 2011 at 16:08

Mattus said:
And this kind of thing is why I still don't trust the cloud with highly personal data.

This is why I laugh at the people who believe everything will be cloud-based in the next few years, until this sort of thing becomes even rarer it just won't happen.

metalmackey · 21 Jun 2011 at 18:49

I thought the account password was encrypted so that only the account holder could get at their data? I thought that not even dropbox employees could access accounts without the users password.

tntcoder · 21 Jun 2011 at 19:00

This is why you should always secure stuff yourself before pushing it out to random cloud services

Seriously, you can't trust them to do it for you.

metalmackey · 21 Jun 2011 at 19:14

So either the data isn't encrypted or they have a master key that can access all the data in all accounts.

Fillado · 21 Jun 2011 at 19:21

metalmackey said:
I thought the account password was encrypted so that only the account holder could get at their data? I thought that not even dropbox employees could access accounts without the users password.

metalmackey said:
So either the data isn't encrypted or they have a master key that can access all the data in all accounts.

http://blog.dropbox.com/?p=735

That's why a lot of people (including myself) are seriously annoyed. First they lied about how they encrypt everything, although I was aware of it due to certain features. Then this happens. BOTH times they just put it up on their blog, mostly hidden away from "normal" users. EVERYONE should've been emailed about this mistake. Instead they keep it mostly to themselves and email only those who could've had their account compromised. Really, really bad behaviour.

*Edit*

Should add that others services (helpfully mentioned in the comments of the current blog post

) DO encrypt the data on your computer and then upload. http://www.wuala.com/en/ https://spideroak.com/

Columbo · 22 Jun 2011 at 14:43

Cloud based services can **** off as far as I'm concerned.

Having everyone's personal data / files in one place simply makes it easier for hackers imo as they only have to look in one place and with some concentrated efforts security will be breached.

Chances are if a hacker had a sniff at my PC and couldn't get in on the first attempt he wouldn't look again.