Jump to content
  • Sign Up
×
×
  • Create New...
New feature: 1 Vote = 0.10€ for server Owner!

Dropbox Sign user information accessed in data breach

Pelican Press

By Pelican Press,
in World News

 Share

Recommended Posts

  • Diamond Member
Pelican Press Warlord

Pelican Press 0

Posted
  • Diamond Member
Posted



Dropbox Sign user information accessed in data breach

Users of the

This is the hidden content, please
– until recently known as HelloSign – document-signing service have been alerted to a data breach affecting their information after an undisclosed threat actor hacked into its systems.

Dropbox first became aware that someone had attained unauthorised access to the Dropbox Sign production environment on 24 April – suggesting they may have had access prior to this. On further investigation, it found that customer data including email addresses, usernames, phone numbers and hashed passwords had been accessed, as well as some authentication information including

This is the hidden content, please
,
This is the hidden content, please
 and
This is the hidden content, please
(MFA).

Additionally, a number of people who received or signed a document through Dropbox Sign but never created an account have had their email addresses and names exposed. However, those who created an account but did not set up a password – for example, they signed up through a

This is the hidden content, please
account – no password was stored or exposed.

Dropbox said it had found no evidence of access to the contents of customer accounts or payment information, and neither had it found any of its other products had been accessed. Dropbox Sign,

This is the hidden content, please
, still runs on separate infrastructure.

The company is now reaching out to impacted users with further information and instructions, and its security team has carried out a forced password reset and logged users out of any devices they had connected to Dropbox Sign. It is currently working to rotate all API keys and OAuth tokens.

“When we became aware of this issue, we launched an investigation with industry-leading forensic investigators to understand what happened and mitigate risks to our users,” the organisation said

This is the hidden content, please
attached to a Securities and Exchange Commission (SEC) disclosure notice.

“Based on our investigation, a third party gained access to a Dropbox Sign automated system configuration tool,” it continued. “The actor compromised a service account that was part of Sign’s backend, which is a type of non-human account used to ******** applications and run automated services. As such, this account had privileges to take a variety of actions within Sign’s production environment. The threat actor then used this access to the production environment to access our customer database.

“At Dropbox, our number one value is to be worthy of trust. We hold ourselves to a high standard when protecting our customers and their content. We didn’t live up to that standard here, and we’re deeply sorry for the impact it caused our customers.”

Dropbox is now embarking on an “extensive review” to better understand exactly what happened and how, and how to better protect itself in future.

This is the hidden content, please
incident response head Patrick Wragg said Dropbox Sign users might think they had a lucky escape because the accessed passwords were hashed, but given the compromise of API keys and other authentication data, there was still reason for concern.

“Take API keys and OAuth tokens, for example,” he said. “These are arguably worse than a password since they allow programmable, scriptable access to the owner’s Dropbox instance. In most instances, the API keys and OAuth tokens are created under a privileged pretence as they’re used for programmable, scripting purposes.

“Therefore, a threat actor can just use the keys/tokens to access the Dropbox account without a username, password and even MFA.”

This is the hidden content, please
CEO Andy Kays said: “This looks like a classic case of breach through acquisition. When a large company buys a smaller one, it can throw up major security risks. The most common scenarios are that the acquired company has vulnerabilities, limited security capabilities, or there are compatibility issues as products, technologies, services and teams are integrated. The fact that only the Dropbox Sign product was breached – not the wider business – suggests that a security gap either existed with the HelloSign product at the time of purchase, or developed over time as the company changed and rebranded it.

“Adversaries having access to sensitive documents and a signature service offers tremendous scope for ******, identity theft, ****** and business email compromise,” he said. “Dropbox users must act as though an attacker has their signature and the ability to sign legal documents in their name. They should change their passwords and enable MFA immediately.”





This is the hidden content, please

#Dropbox #Sign #user #information #accessed #data #breach

This is the hidden content, please

0

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Unfortunately, your content contains terms that we do not allow. Please edit your content to remove the highlighted words below.
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing

  • Vote for the server

    To vote for this server you must login.

    Jim Carrey Flirting GIF

  • Recently Browsing   0 members

    • No registered users viewing this page.

Important Information

Privacy Notice: We utilize cookies to optimize your browsing experience and analyze website traffic. By consenting, you acknowledge and agree to our Cookie Policy, ensuring your privacy preferences are respected.

  I accept