Tech News: Dropbox Says Hackers Stole Customer Data From its eSignature Service Dropbox Sign (HelloSign)
Dropbox has revealed a major attack on its digital signature (Dropbox Sign, formerly HelloSign) systems that saw customer data accessed by unknown and unauthorized entities.
For some users, phone numbers, hashed passwords, and certain authentication information such as API keys, OAuth tokens, and multi-factor authentication were also accessed.
What's Going On:
Dropbox's blog post explains that its investigation revealed that a third party gained access to "a Dropbox Sign automated system configuration tool." So, basically, a DocuSign clone.
Dropbox has found no evidence that the attacker "accessed the contents of users' accounts, such as their agreements or templates, or their payment information."
No other Dropbox services were affected, including its core cloud file-syncing business.
Dropbox Sign is forcing users to reset their passwords and log out of devices connected to their accounts. They are also forcing users to reset their API keys and OAuth tokens.
This is Dropbox's second security breach since 2022. Dropbox disclosed a security breach after threat actors stole 130 code repositories by breaching the company's GitHub accounts using stolen employee credentials.
What You Can Do
Ensure your devices are logged out of your Dropbox Sign account. Then, log back in and reset your password using a password manager such as 1Password or Bit Warden to ensure it is secure.
Those who utilize MFA (2FA) with DropBox Sign should delete that account from their authenticator apps and set it up again with a new MFA key retrieved from their accounts.
If you receive an email from Dropbox Sign asking you to reset your password, DO NOT click any links in the email. Instead, visit the Drobpox Sign website directly and reset your password from the site.
My Take:
The attacker compromised a "service account" used by non-humans to execute applications and run automated services. The account "had privileges to take a variety of actions within Sign's production environment."
Companies really, seriously need to pay much more attention to automated services and accounts within their networks and the privileges and abilities they give them. Attackers are ALWAYS looking for ANY path into a network, particularly corporate networks, to compromise and profit from data.
Until companies face significant consequences for a lack of action in these situations, they will continue to happen.
Although user files were not compromised in this attack, I suspect many customers are looking at other eSignature solutions that they can actually trust. Please ensure you are logged out of your Dropbox Sign account and redo your MFA/2FA security measures.
Thank you so much for reading this blog post! You can keep up to date with my latest posts right here on KevinTheTechGuy.ca, or via the RSS feed. You can also check out my FREE newsletter. Please consider supporting my work directly, or using Buy Me a Coffee! Your support makes my work possible.