Online storage service provider Dropbox has acknowledged a lapse in security that left client accounts susceptible to unauthorized access for several hours on Monday.
The company says that a code update introduced a flaw that allowed account login using incorrect passwords. Once the flaw was discovered, Dropbox immediately terminated all active sessions and issued a fix for the authentication problem immediately.
"This should never have happened. We are scrutinizing our controls and we will be implementing additional safeguards to prevent this from happening again," wrote Arash Ferdowsi, Dropbox co-founder and CTO in a blog post.
Dropbox staff also began the process of reviewing system logs to determine which accounts had been accessed during the vulnerability period, and have since notified potentially affected customers.
"We’re working around the clock to gather additional data and continue to review logs for potentially unauthorized activity. We aim to notify users who had login activity during the period within the next few hours," Ferdowsi said.
Ferdowsi also issued an apology for the snafu, and pledged to keep clients updated on any issues that may arise from the event.
"We are sorry for this and regardless of how many people were ultimately affected, any exposure at all is unacceptable to us. We will continue to provide regular updates," Ferdowsi stated.
The security lapse comes just a few months after security researcher Christopher Soghoian has filed a complaint with the Federal Trade Commission alleging that Dropbox had been making false claims to customers about the company's protocols for securely storing data.
The crux of the complaint centered around statements made by Dropbox that lead customers to believe data submitted to the service for storage is always in an encrypted state, and only accessible in an unencrypted state by the client.
Soghoian had demonstrated that the company uses a process that leaves the data in an unencrypted form, making the information susceptible to examination by Dropbox employees as well as government and court ordered searches for copyright infringements.
Soghoian wants the company to further revise advertising and onsite statements to more accurately reflect the security and encryption protocols used by Dropbox. Company officials have dismissed Soghoian's accusations and maintain that no misrepresentations have been made to customers.
Since Soghoian's complaint was filed, multiple changes have been made in the wording the company uses on their website to explain security protocols.