Dropbox, one of the most popular ways to share and sync files online, says the accounts became unlocked at 1:54pm Pacific time Sunday when a programming change introduced a bug. The company closed the hole a little less than 4 hours later.
The bug was reported on Dropbox forums and on Pastebin (via security researcher Christopher Soghoian).
The company gave more specifics in a blog post Monday afternoon:
We’re conducting a thorough investigation of related activity to understand whether any accounts were improperly accessed. If we identify any specific instances of unusual activity, we’ll immediately notify the account owner. If you’re concerned about any activity that has occurred in your account, you can contact us at security@dropbox.com.
This should never have happened. We are scrutinizing our controls and we will be implementing additional safeguards to prevent this from happening again. More
