Carnegie Mellon University Website Home Page
 
Skip navigation and jump directly to page content
News
Security News Archives
Security News: 2011
Security News: June 2011
SECURITY ALERT: Dropbox Login Password Bug
SECURITY ADVISORY: Rogue Security Software
Accounts
Network, Phone & TV
Software
Email, Calendar, Mobile
Secure Your Computer
Clusters & Printing
Web Services
Media Technology Services
Training & Education
Technical Support & Services
Campus Partners
Information Security Office (ISO)

SECURITY ALERT: Dropbox Login Password Bug

(US Eastern Time)
DAY: Wednesday
DATE: June 22, 2011

Summary

Dropbox, a popular online file-sharing service used by some members of the campus community, announced that a software upgrade error on June 19 allowed any Dropbox account to be accessed without needing a valid password from 4:54 PM to 8:41 p.m. Eastern Time. This means that anyone could have logged into a Dropbox account simply by knowing the account username. Once logged in, the unauthorized person could have read, copied or modified any of the stored files.

What Should You Do?

Dropbox reviewed their access logs and sent email to anyone whose account showed activity in the time period at issue. They are encouraging all affected users to review their recent Dropbox activity for unauthorized events by visiting http://www.dropbox.com/events.

If you suspect that there was unauthorized access to Carnegie Mellon private or restricted data stored in your Dropbox account, please contact the Information Security Office's Incident Response team at 412-268-2044 or iso-ir@andrew.cmu.edu.

The Information Security Office recommends that university affiliates not store Carnegie Mellon private or restricted data on Dropbox.  

http://www.cmu.edu/iso/aware/cloud-computing/gmail-dropbox.html

For more guidance on classifying and protecting Carnegie Mellon data, see:

Guidelines for Data Classification
https://www.cmu.edu/iso/governance/guidelines/data-classification.html

Guidelines for Data Protection
https://www.cmu.edu/iso/governance/guidelines/data-protection/index.html

For more information on the Dropbox Login Password Bug incident, see:

The Dropbox Blog - Yesterday’s Authentication Bug
http://blog.dropbox.com/?p=821

Whom to Contact

Please direct any questions or comments to the Information Security Office at 412-268-2044 or iso@andrew.cmu.edu or to your departmental administrator or DSP consultant.