Dropbox Passwords Were Optional For a Short Time on Sunday

Dropbox had a little problem this weekend. The service broke its own authentication system when it pushed out a code update on Sunday afternoon.

The mistake let users login to Dropbox without a correct password and was live for four hours before it was detected. Dropbox fessed up to the faux-pas after TechCrunch ran with the story and issued the following statement:

Hi Dropboxers,
Yesterday we made a code update at 1:54pm Pacific time that introduced a bug affecting our authentication mechanism. We discovered this at 5:41pm and a fix was live at 5:46pm. A very small number of users (much less than 1 percent) logged in during that period, some of whom could have logged into an account without the correct password. As a precaution, we ended all logged in sessions.

We're conducting a thorough investigation of related activity to understand whether any accounts were improperly accessed. If we identify any specific instances of unusual activity, we'll immediately notify the account owner. If you're concerned about any activity that has occurred in your account, you can contact us at security@dropbox.com.

This should never have happened. We are scrutinizing our controls and we will be implementing additional safeguards to prevent this from happening again.

-Arash

You know the drill — check you Dropbox account, count your files and change your password if needed.

[TechCrunch and Dropbox]