For about four hours on Sunday, June 19th Dropbox accounts could be accessed with any password. That means as long as you typed something in the box you could access the account. I bet you're expecting that this was the work of hackers, but it was in fact, Dropbox's own fault.
The company pushed a code update at 1:54pm Pacific time which inadvertently created the bug affecting the authentication system. The security issue was outlined in a Pastebin post which detailed the issue. The poster was attempting to change his Dropbox password but quickly noticed that he could login with his old passwords or any string of characters at all.
The bug was live for a total of four hours. A fix went live at 5:46pm Pacific time, approximately five minutes after the bug was noticed by the Dropbox team at 5:41pm Pacific. The Dropbox blog detailed the potential customers affected saying, "A very small number of users (much less than 1 percent) logged in during that period, some of whom could have logged into an account without the correct password. As a precaution, we ended all logged in sessions."
Dropbox claims they are working around the clock to review logs to see if any accounts were improperly accessed. In addition they say that users who logged in during the four hour window have been notified via email. One of the main features on the Dropbox page is "Your stuff is safe", so a snafu like this surely doesn't give users warm and fuzzy feelings about entrusting their important data to Dropbox in the future.
With more cloud based storage options rapidly becoming available, it remains to be seen if users will migrate away from Dropbox after this incident. It's one thing to be hacked but another altogether to break authentication on your own service. It seems the moral of the story is two-fold, your data is never completely safe, and code should be thoroughly tested before it's rolled out.
