The internet is ablaze with news about Dropbox’s recent authentication problem, which made it possible (for a few hours) to log into any account you knew the email address for with a random password. They have an official post about the issue which you can read by clicking here.
The big issue here (apart from the rather obvious problem with unauthorized access to any account) is how they dealt with the problem - by not talking about it until the press picked up on it (which it would eventually - it’s too juicy of a story not to be talked about). When you run a service such as Dropbox you can’t play it safe about communicating with your users. By not addressing their audience as soon as they heard about the issue, they put their user’s trust on the line.
Two main questions come to mind:
- How did this happen in the first place? Were there no tests in place? User authorization is no trivial matter, so I assume a lot of attention went into making it secure. How did it fail? Who’s fault is it, and what’s been done to correct the issue?
- Why didn’t users hear about this sooner? What would have happened if the media hadn’t picked up on the story? Are there any guarantees that Dropbox would have let their users know about what was going on?
There’s that sentence that reads “Trust takes years to build, seconds to break and forever to repair”, and as a Dropbox user and supporter for years, I feel shaken. I have no way of knowing whether my data is/was safe, and the way Dropbox handled the issue doesn’t exactly put me (or anyone, really) to rest. These are talented folks and they provide an amazing service - I can only hope they learn from this mistake. The internet may forgive, but it usually doesn’t forget.