Dropbox Left Document Storage Accounts Open for Four Hours

Online memory Robert William Service Dropbox accidentally inside-out off password authentication for its 25 million users for four hours connected Monday — although "such fewer than 1 percent" of those accounts were accessed during the period, the company said. It is still investigation whether whatever of those accounts were improperly accessed.

Dropbox CTO Arash Ferdowsi wrote that the company introduced a code change at 1:54 p.m. Pacific Time that caused a problem in the authentication mechanics. About four hours later, the problem was discovered, and Dropbox killed all of the Roger Sessions of those who were logged in at the time — "much fewer" than 1 pct of its users, Ferdowsi wrote.

Dropbox Left Document Storage Accounts Open for Four Hours

A unsex was introduced at 5:46 p.m. Pacific Standard Time, he said.

"We'Ra conducting a thorough investigation of related activity to understand whether any accounts were improperly accessed," Ferdowsi wrote. "This should never have happened. We are scrutinizing our controls, and we will be implementing additional safeguards to prevent this from happening over again."

The company later said information technology had notified all those who were logged in at the time of the error and asked them to review details of activity on their account. Those involved can likewise query Dropbox at "support@dropbox.com."

The proceeds was detected by some users. Christopher Soghoian , a University of Indiana doctoral prospect and security researcher, posted a tilt-inactive from an nameless author to the internet site Pastebin.

In May, Soghoian wrote a complaint missive to the FTC, alleging that the companionship has deceived consumers about the level of encoding certificate it offers. Dropbox said the complaint was without merit.

Several Dropbox users were upset by Monday's assay-mark problems, while others brushed it off.

"Every single Dropbox client should be acquiring an e-ring armou honorable now about this — not hearing about it from other sources or from a seemingly calm-toned blog C. W. Post," wrote a user going aside the name of Tony Webster. "Dropbox hasn't even tweeted well-nig this a full 24 hours after it happened. I know I would like disclosure of all unmarried action happening on my Dropbox account during the four hours anybody could get at IT, and I pauperism that information immediately."

But an anonymous poster wrote, "What sort of amazing cancer/AIDS curing research have you stored connected your Dropbox answer for? Mistakes happen and they fixed it. At the least they told you about IT. How many other companies do that?"

Send news tips and comments to jeremy_kirk@idg.com