The bug was first publicized by Chris Soghoian a couple of days ago. According to Dropbox, it affected a “very small number of users (much less than 1%)” and was fixed at 5:46 p.m. PT, five minutes after Dropbox admins discovered it.
Dropbox claims it ended all logged-in sessions after they applied the fix and is currently conducting an investigation of all unusual activity during the time the bug was active. The latest update on the Dropbox blog says that “accounts that logged in during the period have been emailed with additional activity-related details for review,” which means that all users will be able to check if their accounts were tampered with by an unauthorized party.
Dropbox’s speedy reaction was accompanied with an apology. Still, Dropbox’s business is data synchronization and storage in the cloud, and security must be one of its biggest priorities.
The 4-year-old startup has grown tremendously in the past year, jumping from 5 million users to more than 25 million users, who are saving more than 300 million files each day. Even if less than 1% of users were affected in this incident, it could still add up to more than 200,000 users and millions of files.