Cloud Site Dropbox Drops the Ball

Popular data storage site accidentally unlocked users' accounts, suit charges

The Dropbox data hosting service introduced a bug that unlocked its 25 million users' accounts and data for everyone to see, a class action lawsuit claims in California's Northern District.

In the suit filed in U.S. District Court in San Francisco, Dropbox customer Cristina Wong of Los Angeles said she did not learn about the incident until she read a news story about it several days later.

Dropbox, which claims to have more than 25 million subscribers, is a popular “cloud” storage service that lets Internet users easily keep all of their data online so that it is accessible to all of their devices.

The company also assures customers that it keeps their data secure from theft and unauthorized disclosure. “We believe that storing data in Dropbox is fare more safe than the alternatives,” the company said in an April 21 blog posting.

The suit notes that Dropbox actively encourages consumers to store their sensitive personal and business data on its system because of its supposedly superior security.

"Introduced a bug"

Yet, Wong says that on June 20, Dropbox announced via a blog post that it had “introduced a bug” on June 19, allowing users to log into other users' accounts and access their data but did not notify all of its clients of the problem.

Instead, in a breezily written blog, the company said:

“Hi Dropboxers, Yesterday we made a code update at 1:54pm Pacific time that introduced a bug affecting our authentication mechanism. We discovered this at 5:41pm and a fix was live at 5:46pm.”

The company's blog posting said that only “a very small number of users (much less than 1 percent) logged in during that period, some of whom could have logged into an account without the correct password.”

Dropbox said that as a precaution it ended all logged in sessions and launched an investigation of all activity at the time the system was compromised.

“If we identify any specific instances of unusual activity, we’ll immediately notify the account owner,” the posting said.

“This should never have happened,” the blog post said, words that may come back to haunt Dropbox.

The suit charges the San Francisco company with violating the California Unfair Competition Law, invasion of privacy and negligence.

Take an Identity Theft Quiz. Get matched with an Authorized Partner.