Dropbox Cloud Authentication Bug Sparks Class Action Suit


Dropbox's authentication bug, which left Dropbox's 25 million users' cloud storage accounts wide open and accessible with any password, has sparked a class action suit from users peeved over their data's possible exposure.

In a class action lawsuit filed in U.S. District Court in San Francisco, angered Dropbox user Cristina Wong of Los Angeles claimed she didn't hear about Dropbox's snafu and her data's potential exposure until reading about it well after the fact, according to a report from ConsumerAffairs.com.

On June 19, Dropbox users reported being able to log into their Dropbox cloud storage accounts using any password. Users quickly took to Dropbox user forums and to social networking sites fuming about the security misstep.

The following day, Dropbox confirmed that an authentication bug opened a gaping security hole that made users' cloud storage accounts accessible without the proper credentials.

In a Dropbox blog post published June 20 discussing the vulnerability, Dropbox founder said the four-hour glitch "should never have happened."

Dropbox CTO and co-founder Arash Ferdowsi said the company updated code at 4:54 p.m. Eastern on June 19 and the update introduced a bug that affected Dropbox's authentication mechanism. Dropbox discovered the issue nearly four hours later and fixed it within minutes of locating the source of the authentication bug.

In the blog post, Ferdowsi wrote that "a very small number of users (much less than 1 percent) logged in during that period, some of whom could have logged into an account without the correct password. As a precaution, we ended all logged in sessions."

Ferdowsi said Dropbox will continue its investigation to determine whether any accounts were improperly accessed and will notify account holders of any instances of unusual activity. Dropbox also asked concerned users to contact the company with questions.

"This should never have happened," Ferdowsi wrote. "We are scrutinizing our controls and we will be implementing additional safeguards to prevent this from happening again."

By early Tuesday, June 21, Ferdowsi said the accounts that had logged while the authentication bug was live were notified via e-mail and activity-related details were provided for review.

Then, on Friday, Dropbox said that it sent e-mails directly to users whose accounts were likely compromise during the security lapse.

"According to our records, there were fewer than a hundred affected users and neither account settings nor files were modified in any of these accounts," Dropbox wrote. "Our team has been working tirelessly to review what happened and to make sure that it never happens again. At this point, we have contacted all these users and provided them more detail. We will continue to provide updates when available."

But in the class action suit against Dropbox, Wong said all clients should have been notified of the security problem and that a blog post was not enough. Wong also claims that Dropbox did not notify users in a timely manner.

Wong's lawsuit also claims that Dropbox violated the California Unfair Competition Law and makes a claim of invasion of privacy and negligence. According to reports, Wong alleges that Dropbox encourages users to store personal data and sensitive information via its cloud service and claims that the service is safer than alternative cloud storage options.

That claim is in direct response to an April 21 Dropbox blog post focusing on its security practices, in which the company's founders wrote "we believe that storing data in Dropbox is far more safe than the alternatives."

See the latest cloud technologies, learn best practices, and interact with your peers at the channel’s first all-inclusive cloud event: NexGen Cloud Conference & Expo, December 4-5, 2014 at the San Diego Convention Center. Register now at  www.NexGenCloudCon.com