Dropbox Drops the Ball

Last week I asked if Apple’s forthcoming iCloud service spells doom for Dropbox. My conclusion was no, iCloud does not pose a critical threat to Dropbox, but this week I’m worried about a new threat to Dropbox’s viability: Dropbox themselves.

Yesterday Dropbox disclosed a “bug” they’d introduced that allowed users to log into any Dropbox account using an arbitrary password. That is, if you have a Dropbox account, all a potential hacker would have to know was your e-mail address, and he would have unfettered access to your entire Dropbox.

Although the impact of the bug on users was mitigated a short lifetime in “the wild” (about 4 hours on June 19th), the impact on Dropbox’s reputation will likely be everlasting. It is inexcusable such an egregious bug would not be caught by an automated testing or manual QA processes.

Worse, this security incident comes on the heels of an update to Dropbox’s privacy policy where the company admitted that it did, in fact, have access to its users data and that it would release private Dropbox data to law enforcement agencies if so required. Thousands of Dropbox users complained the company had misled them, and one group of users even went as far as to file a complaint with the FTC.

Dropbox has been an incredibly popular service among lawyers and non-lawyers alike, but a company asking users to entrust it with private data cannot afford mis-steps like this. If you are storing sensitive data on Dropbox, seriously consider encrypting your data prior to storing it on Dropbox, or look to alternatives to Dropbox that encrypt your data by default, such as SpiderOak.