The 2011 authentication bug: any password unlocked any account
June 2011
For nearly four hours on 19 June 2011, a code update left Dropbox accounts accessible with any password at all — anyone could sign in to any account by typing anything.
What happened
On 19 June 2011 Dropbox deployed a code change that broke its authentication system. For a window of about four hours, the password check was effectively disabled: any account could be opened by entering any password, or none that matched. For the duration of the bug, the private files of tens of millions of users were protected by nothing.
Dropbox said it discovered the problem and fixed it within around four hours, and that fewer than 1% of accounts were accessed during the window. But the incident crystallized a criticism security researchers had already been making: because Dropbox held the keys to users' files and decrypted them server-side, a single bug in its own code could expose everyone's data at once — something that would be impossible under true end-to-end encryption.
Impact
The bug became a reference point in the debate over Dropbox's security architecture. Weeks earlier, researcher Christopher Soghoian had filed an FTC complaint accusing Dropbox of misleading users about how its encryption worked; the authentication bug appeared to validate the underlying concern that Dropbox could access user files and that its server-side model created a single point of catastrophic failure. It durably damaged trust among privacy-conscious users and fueled the market for 'zero-knowledge' competitors.