So, someone at Dropbox screwed the pooch yesterday and as a result data was open to the world for roughly four hours on June 19th.
You know, I constantly come back to a simple premise. If you leave all of your data with a third party service that you don’t control, there could be repercussions. That’s not to say that you should squirrel away all of your data in a mattress. Not at all. Rather it’s to point out that if you’re going to rely on a service like Dropbox you should be sure to cover your flank. Encrypt your files.
From C|Net:
Web-based storage firm Dropbox confirmed this afternoon that a programmer’s error caused a temporary security breach that allowed any password to be used to access any user account.
The San Francisco-based start-up attributed the security breach to a “code update” that “introduced a bug affecting our authentication mechanism.” Access without passwords was possible between 1:54pm PT and 5:46pm PT yesterday, the company said.
“This should never have happened,” Dropbox co-founder and CTO Arash Ferdowsi said in a blog post. “We are scrutinizing our controls and we will be implementing additional safeguards to prevent this from happening again.”
Should “never have happened”…indeed. But, it did. And this on the heels of their recent difficulties when it became apparent that there was some snake oil in the “security” of their service offering.
Some ways to protect yourself would be to encrypt your files using PGP or something similar. You could even create some secure storage on DropBox using TruCrypt for example. The long and the short of it is to trust but, verify.
(Image used under CC from Mikey Jon Holm)