Something really scary happened at Dropbox yesterday that should worry anyone who have trusted their important files with the service.
The Dropbox system was left wide open for about 5-6 hours yesterday and anyone could sign-in to your Dropbox account if all they knew were your email address. They could just type any random characters in the password box and the system would let them in. Scary!
Dropbox has since then fixed the bug but what concerns me is this casual statement that they posted in response to such a serious security breach:
A very small number of users (much less than 1 percent) logged in during that period, some of whom could have logged into an account without the correct password.
At an event the previous month, founder Drew Houston was quoted as saying that the Dropbox service has 25 million users. That means about 250,000 users logged into Dropbox during that window and it’s definitely not a small number.
Is Your Dropbox Account Affected?
Unlike Gmail, Dropbox doesn’t offer you a list of IP address that have recently accessed your account else that would have really helped understand if anyone else got into your account during that period.
There are however a few things that you may do at your end.
#1. The Dropbox website has a page - dropbox.com/events – that details all the recent activity around your Dropbox account. It won’t show details for sign-ins or which of your files were downloaded but you'll at least get know if someone has removed or added any files to your Dropbox storage without your knowledge. The Events log can also help you determine if any of your Dropbox file folders were shared with another user.
#2. Another page - dropbox.com/account – maintains a list all computers and mobile devices that are currently linked to your Dropbox account. If you see an unknown computer or mobile phone listed on this page, or if a device you own is missing, it is something to worry about.
#3. Also take a look at your My Apps pages to confirm that only known apps have access to your Dropbox account.
Update: I contacted Dropbox support at support@dropbox.com asking them for a list of IP addresses that accessed my account in the past day or so. They didn’t provide that list but were kind enough to review my account:
I have the reviewed the logs for your account and have not been able to detect any relevant account activity for your account during the time period, so I believe that your account was unaffected by the bug.
At this point, we have emailed accounts that logged in during the time period with additional activity-related details for review. We’re sorry for this situation and regardless of how many people were ultimately affected, any exposure at all is unacceptable to us.
Dropbox support also said that they have contacted all accounts that reported log-in activity during the "unlocked" period - just hope that no such email lands in your Inbox because if someone else has read or downloaded your documents stored on Dropbox, you can't really do anything about it now.
Generated by BlogIt
BlogIt - Auto Blogging Software for YOU!
No comments:
Post a Comment