Something really scary happened at Dropbox recently. The system was left wide open for about 5-6 hours and anyone could sign-in to your Dropbox account if all they knew were your email address. They could just type any random characters in the password box and the Dropbox would let them in.
The bug has now been fixed but it to ensure that no one else has accessed your Dropbox account in the recent past, here are few things you should do.
Perform a Security Audit of your Dropbox Account
Unlike Gmail, Dropbox doesn’t offer you a list of IP address that have recently accessed your account else that would have really helped understand if anyone else got into your account during that period.
There are however a few things that you may do at your end.
#1. The Dropbox website has an events page – dropbox.com/events – that details all the recent activity around your Dropbox account. It won’t show details for sign-ins or which of your files were downloaded but you’ll at least get know if someone has removed or added any files to your Dropbox storage without your knowledge. The Events log can also help you determine if any of your Dropbox file folders were shared with another user.
#2. Another page – dropbox.com/account – maintains a list all computers and mobile devices that are currently linked to your Dropbox account. If you see an unknown computer or mobile phone listed on this page, or if a device you own is missing, it is something to worry about.
#3. Finally, carefully review the third-party apps that are associate with your Dropbox. Open the My Apps pages to confirm that only known apps have access to your Dropbox account.
Update: I contacted Dropbox support at firstname.lastname@example.org asking them for a list of IP addresses that accessed my account in the past day or so. They didn’t provide that list but were kind enough to review my account:
I have the reviewed the logs for your account and have not been able to detect any relevant account activity for your account during the time period, so I believe that your account was unaffected by the bug.
At this point, we have emailed accounts that logged in during the time period with additional activity-related details for review. We’re sorry for this situation and regardless of how many people were ultimately affected, any exposure at all is unacceptable to us.
Dropbox support also said that they have contacted all accounts that reported log-in activity during the “unlocked” period – just hope that no such email lands in your Inbox because if someone else has read or downloaded your documents stored on Dropbox, you can’t really do anything about it now.