Thanks to a bug introduced by a code update, the entire world had access to Dropbox accounts for just under four hours. This issue was announced by Dropbox CTO Arash Ferdowsi on Monday revealed in his blog that a code update implemented on Sunday at 1:54pm PST introduced a bug that affected the service’s authentication mechanism. The bug was discovered at 5:41pm PST and fixed precisely at 5:46pm. This meant that for nearly four hours, accounts were left wide open for anyone to access without a password.

According to Ferdowski, only 1-percent of its user base actually accessed their accounts during that sensitive window. However, as a precaution, the company ended all logged in sessions until the bug was eradicated.

“We’re conducting a thorough investigation of related activity to understand whether any accounts were improperly accessed,” Ferdowski said. “If we identify any specific instances of unusual activity, we’ll immediately notify the account owner.”

By 10:46pm Monday night, Ferdowski said that the company had been working “around the clock” to gather additional data and continue to review logs for potentially unauthorized activity. Users would thus be notified within the next few hours if login activity was detected during the four-hour “open house” period. By 2:49am Tuesday morning, the accounts that logged in during the period had been emailed with additional activity-related details for review.

Dropbox is one of many cloud storage solution that offers a free 2 GB basic service and additional storage for a monthly fee. Users can automatically upload files to their cloud storage directly from a desktop, laptop or mobile device (iOS, Android) once the media is saved in a specific folder. Files can be kept totally private, shared only with family members, or offered to the public. They’re also kept in sync with other devices authorized with the Dropbox account.

That said, unauthorized access to a Dropbox account means that the “snoop” had access to the account holder’s email address, credit card and/or paypal information, and whatever is stored in the cloud. “This should never have happened,” Ferdowski said. “We are scrutinizing our controls and we will be implementing additional safeguards to prevent this from happening again. We are sorry for this and regardless of how many people were ultimately affected; any exposure at all is unacceptable to us.”

SOURCE via Dropbox Blog