Yesterday Dropbox updated their code and a bug was introduced that made it possible to login at any account without the correct password. So for 4 hours it was possible for anyone to access any account.
According to their blog only about 1% of their users logged in during this time frame, some of them could have accessed accounts without passwords. As a precaution they ended all logged in sessions and will investigate unusual behavior and contact the owners of those accounts.
I can confirm that my own Dropbox account was accessed by someone and I also got an email from Dropbox informing me that they had disabled access for an app to my account. Luckily I didn’t have any important (or secret) files in my Dropbox account. This is from the email I got from Dropbox:
Based on a careful review of our records, we noticed that during the time the bug was in effect you:
- Linked an API app to your Dropbox
As a precautionary measure, we disabled any apps.
I still love Dropbox as a concept, but for any files that should remain private or secret I would encrypt them really good just as a precaution.
If you also have a Dropbox account you should check your files and the activities that was recorded on your account of the time of the Dropbox bug. According to the Dropbox blog the bug was introduced on their site at 1:54pm Pacific time and the bug was fixed at 5:46pm.