Private details of some of Dropbox's 25 million users were exposed overnight after a bungled code update nullified account password security.
The glitch allowed accounts on the free cloud storage system - ostensibly protected by "military" security systems - to be accessed with any password.
Accounts were exposed for up to four hours, although the glitch was fixed in less than five minutes after it was reported by several users including security researcher Christopher Soghoian.
Dropbox co-founder Arash Ferdowsi said less than 1 percent of users - about 250,000 - had accessed accounts while the passwords were exposed.
"Yesterday we made a code update at 1:54pm Pacific time that introduced a bug affecting our authentication mechanism," Ferdowsi wrote in a blog post today.
"A very small number of users logged in during that period, some of whom could have logged into an account without the correct password. As a precaution, we ended all logged in sessions."
Ferdowsi said the company is conducting an investigation and will notify affected users.
"This should never have happened. We are scrutinising our controls and we will be implementing additional safeguards to prevent this from happening again."
Soghoian, who previously attacked Dropbox's claims that it uses military-strength security, was alerted to the breach through an email from an unnamed user.
The breach comes on the heels of the publication of a forensic tool developed to help investigators crack Dropbox accounts.