File storage start-up, which says it has more than 25 million users, says a "code update" allowed access to accounts without passwords for about four hours on Sunday.
Web-based storage firm Dropbox confirmed this afternoon that a programmer's error caused a temporary security breach that allowed any password to be used to access any user account.
The San Francisco-based start-up attributed the security breach to a "code update" that "introduced a bug affecting our authentication mechanism." Access without passwords was possible between 1:54pm PT and 5:46pm PT yesterday, the company said.
"This should never have happened," Dropbox co-founder and CTO Arash Ferdowsi said in a blog post. "We are scrutinizing our controls and we will be implementing additional safeguards to prevent this from happening again."
This afternoon's news is a significant embarrassment for Dropbox, which (despite not being located in Silicon Valley) appeared on a list of "20 Hot Silicon Valley Startups You Need To Watch," and which received a CNET Webware award in May 2009.
Dropbox had assured its users that "we use the best tools and engineering practices available to build our software, and we have smart people making sure that Dropbox remains secure."
News of the snafu began to trickle out earlier on Dropbox's discussion forums--one thread was titled "Drop box web interface was WIDE OPEN for some time yesterday"--and through Twitter in a post by privacy advocate Christopher Soghoian.
In 2008, Dropbox received $7.2 million in funding from Sequoia Capital and other investors. The company claims to have more than 25 million users of its free service.