Dropbox confirmed today that for some time yesterday, any users account was accessible without a password. The glitch was a programming error related to a code update and accounts were only vulnerable from around 1:54 pm PST to 5:46pm PST. A statement was issued by Dropbox explaining the issue:
Yesterday we made a code update at 1:54pm Pacific time that introduced a bug affecting our authentication mechanism. We discovered this at 5:41pm and a fix was live at 5:46pm. A very small number of users (much less than 1 percent) logged in during that period, some of whom could have logged into an account without the correct password. As a precaution, we ended all logged in sessions.
For those 4 hours, anyone who was aware of the glitch could have accessed your data stored on the Dropbox servers without restriction. Dropbox Co-Founder Arash Ferdowsi said:
“We are scrutinizing our controls and we will be implementing additional safeguards to prevent this from happening again.”
Dropbox will definitely have more security controls in place in the future to prevent exposure of users data. No details have been released if any users data was compromised in the time that the glitch was available.