Security glitch makes Dropbox service 'freely' accessible

For nearly four hours Tuesday (Manila time), a security bug made Web-based file hosting service Dropbox accessible to virtually all users by allowing them to access any account even without the correct password. Dropbox co-founder and chief technical officer Arash Ferdowsi said the bug was introduced at 1:54 p.m. Pacific time and remained online before it was fixed at 5:46 p.m. “A very small number of users (much less than 1 percent) logged in during that period, some of whom could have logged into an account without the correct password. As a precaution, we ended all logged in sessions," Ferdowsi said in a blog post. Ferdowsi said they are now conducting a thorough investigation of related activity to understand whether any accounts were improperly accessed. He said they will immediately notify the account owner if they note any unusual activity. He said account holders can inquire about their accounts at support@dropbox.com. “This should never have happened. We are scrutinizing our controls and we will be implementing additional safeguards to prevent this from happening again," he said. “We are sorry for this and regardless of how many people were ultimately affected, any exposure at all is unacceptable to us. We will continue to provide regular updates," he added. Dropbox, founded in 2007 by Ferdowsi and Drew Houston, is a free service that hosts photos, documents and videos. It claims to have more than 25 million users. An article on CNET said news of the problem trickled out on Dropbox’s discussion forums. — TJD, GMA News