The bug was made possible because of the security architecture choice that Dropbox made, where encryption and decryption happen on Dropbox’s servers, rather than on individual’s comupters. This allows Dropbox to open files because it, not the user, holds the encryption key. That architecture adds to ease of use and lets people recover their files — even if they forgot their password. In a system where a user unlocks their cloud files with their own encryption key, the data would be lost forever if a user forgets their encryption key, and a complicated encryption key has to be entered into every client device that wants to sync via the locker.

However, Christopher Soghoian argues that Dropbox’s model introduces too many security vulnerabilities and that Dropbox overstated how secure file storage was, leading him to file an FTC complaint against the company.

Dropbox strongly disputed that it ever misled its users, saying that its security was an upgrade from how users typically stored information on their own computers.

For those who are seeking a service similiar to Dropbox, but with more security, Wuala and SpiderOak encrypt data on users’ devices, not on a central server.

Security breaches are obviously the new black... it seems everyone wants to get in on the act :-(