Dropbox Announces Digital Signature Service Breach Impacting All Users
Dropbox Announces Digital Signature Service Breach Impacting All Users
Dropbox, a supplier of cloud storage services, revealed on Wednesday that anonymous threat actors compromised Dropbox Sign (formerly HelloSign), gaining possession of the email addresses, usernames, and general account preferences of all users of the digital signature product.
The organization disclosed in a filing with the Securities and Exchange Commission (SEC) of the United States that it acquired knowledge of the “illicit access” on April 24, 2024. In January 2019, Dropbox announced its intention to acquire HelloSign.
“The threat actor obtained info relating to all users of Dropbox Sign, including emails and usernames, along with general account settings,” the company reported in its Form 8-K filing.
The threat actor also obtained phone numbers, hashed passwords, and specific authentication information (including API keys, OAuth tokens, and multi-factor authentication) for subsets of users.
Moreover, the breach extends to third parties who merely obtained or affixed their signatures to a document via Dropbox Sign without ever having established an account; in particular, their names and email addresses were exposed.
No indication has been found thus far that the assailants gained access to the payment information or account contents (e.g., templates or agreements) of users. Also, it has been reported that the incident is limited to the Dropbox Sign infrastructure.
It is suspected that the perpetrators infiltrated a Dropbox Sign automated system configuration tool and compromised a service account comprising Sign’s backend. They then exploited the elevated privileges associated with that account to obtain unauthorized access to the organization’s customer database.
However, the number of customers whose information was compromised was not disclosed by the company. However, it did state that it is currently communicating with all affected users and providing them with “step-by-step instructions” on how to safeguard their data
“Our security team also reset users’ passwords, logged users out of any devices they had linked to Dropbox Sign, and handles the rotation of all API keys and OAuth tokens,” according to the company.
Additionally, Dropbox stated that it is collaborating with regulatory and law enforcement agencies regarding the issue. A continued investigation into the intrusion is in progress.
This is the second occurrence of this nature to affect Dropbox in the past two years. The organization revealed in November 2022 that it had fallen prey to a phishing scheme, which facilitated illicit access to 130 of its source code repositories on GitHub by unidentified threat actors.
About The Author:
Yogesh Naager is a content marketer who specializes in the cybersecurity and B2B space. Besides writing for the News4Hackers blog, he’s also written for brands including CollegeDunia, Utsav Fashion, and NASSCOM. Naager entered the field of content in an unusual way. He began his career as an insurance sales executive, where he developed an interest in simplifying difficult concepts. He also combines this interest with a love of narrative, which makes him a good writer in the cybersecurity field. In the bottom line, he frequently writes for Craw Security.
READ MORE ARTICLE HERE