Dropbox left open for 4 hours

Filed under: Cloud | Tags: , , |

A wrinkle has appeared in the perennial question, “Is Dropbox Secure?” Dropbox (one of my favorite services) was effectively unlocked for 4 hours on Monday June 20, 2011!

Writing in PC World, Sara Yin notes:

A code update left Dropbox, the popular cloud storage service, password-free for about four hours on Monday afternoon.

During this time, anyone could access any of Dropbox’s 25 million user accounts by typing in any password. The lapse occurred between 1:54 p.m. to 5:46 p.m. PT.

Ok. Altogether, “FUUUUU…!” 

If you want to drop Dropbox, I perfectly understand. I hate that this happened. At least Dropbox owned up to this and fixed the problem.

We’re conducting a thorough investigation of related activity to understand whether any accounts were improperly accessed. If we identify any specific instances of unusual activity, we’ll immediately notify the account owner.

[Update – 2:49am] – At this point, the accounts that logged in during the period have been emailed with additional activity-related details for review. If you have any questions or concerns, please contact us at support@dropbox.com.

Am I still a fan of Dropbox? Yup. Why?

  • An open door is not a breach. Have you ever left your car unlocked with your phone or laptop in it? Left a window unlocked? Left a door open/unlocked? Yeah, I think we all have. Is it worse when Dropbox leaves a door unlocked? You bet! However, a security incident is not necessarily a breach. Go ahead and flame away in the comments.
  • Dropbox owned up and fixed the problem the same day and contacted affected users, unlike Sony (77 million credit cards stolen), TJ Maxx (45.7 million credit and debit cards stolen)

You might be saying:

That’s not the loss of sensitive legal data!

That’s true. However, don’t forget 650,000 Records Missing At Iron Mountain. Want to see more breaches? Check out a list of recent breaches on TeamShatterer.

I’m writing this at this post at the Colorado Bar CLE on “Avoiding Lawyer’s Digital Nightmare.” I’m listening to a how vulnerabilities are increasing and that all of us are either post-breach or pre-breach — whether we know it or not!

There are physical breaches: theft of laptops, mobile devices, flash drives, etc. There is social engineering attacks. And there are dumb mistakes. While I hate to see vulnerabilities, especially dumb ones, I am more concerned about the service provider’s response. I feel that Dropbox handled has been handling this vulnerability (and potential breach) well.

Update 4:26pm MST. Not satisfied? Rich Mogull at Securosis (via BoingBoing) has a great write up of the options to secure your Dropbox. Note: until Dropbox, or a third party, creates a per-file encryption method that works with Dropbox, the options, including pre-encrypted containers, degrade performance and come with their own risks. The main benefits of Dropbox (for me at least) are speed and that it effortlessly works everywhere. Damn it, I really want per-file encryption!