The bug occurred during a code update that was made that day at 13:54, Pacific Time (22:54 in Spain), but they did not discover it until 17:41 (2:41 AM on Monday), fixing it a few minutes later. According to DropBox, only 1% of users may have been affected, because it was that percentage that entered during that period of time.
For now, they are conducting an investigation to see which accounts were accessed inappropriately. In the event that they identify unusual activity, they will notify the affected users immediately, although they also ask that they be contacted by those who have noticed some strange activity in their account.
Not only a security error: also a communication error
This ruling was first made public by Christopher Soghoian, the same one who sparked controversy regarding the access that DropBox employees had to users' files. However, around the same time, the DropBox forums had also started talking about it.The admission of the ruling by DropBox did not come until yesterday through a post on its blog, when the news had already spread. If a security flaw of such caliber (I insist: you could access an account with any password) is already serious, the matter gets worse when the company does not inform its users quickly of what happened.
While it is possible that the affected accounts were very few (it is not yet known), the one that has been affected is the trust that the service awakens, especially for not communicating it in time to all users. In these cases, it is best to admit the error as soon as possible and not wait for it to start watering over the network, especially in the case of a service that is used by many to preserve sensitive information.
In the event that, after reading this, you are thinking of changing services, I recommend that you review the two collection centers that my colleague Miguel López did about alternatives that you can use instead of DropBox.
Source: Genbeta
