artbase - stock.adobe.com
Dropbox Sign user information accessed in data breach
Account data belonging to Dropbox Sign users was accessed by an unknown threat actor after they hacked into the organisation’s backend infrastructure
Users of the Dropbox Sign document-signing service – until recently known as HelloSign – have been alerted to a data breach affecting their information after an undisclosed threat actor hacked into its systems.
Dropbox first became aware that someone had attained unauthorised access to the Dropbox Sign production environment on 24 April – suggesting they may have had access prior to this. On further investigation, it found that customer data including email addresses, usernames, phone numbers and hashed passwords had been accessed, as well as some authentication information including application programming interface (API) keys, OAuth tokens and multi-factor authentication (MFA).
Additionally, a number of people who received or signed a document through Dropbox Sign but never created an account have had their email addresses and names exposed. However, those who created an account but did not set up a password – for example, they signed up through a Google account – no password was stored or exposed.
Dropbox said it had found no evidence of access to the contents of customer accounts or payment information, and neither had it found any of its other products had been accessed. Dropbox Sign, which was acquired in 2019, still runs on separate infrastructure.
The company is now reaching out to impacted users with further information and instructions, and its security team has carried out a forced password reset and logged users out of any devices they had connected to Dropbox Sign. It is currently working to rotate all API keys and OAuth tokens.
“When we became aware of this issue, we launched an investigation with industry-leading forensic investigators to understand what happened and mitigate risks to our users,” the organisation said in a blog post attached to a Securities and Exchange Commission (SEC) disclosure notice.
“Based on our investigation, a third party gained access to a Dropbox Sign automated system configuration tool,” it continued. “The actor compromised a service account that was part of Sign’s backend, which is a type of non-human account used to execute applications and run automated services. As such, this account had privileges to take a variety of actions within Sign’s production environment. The threat actor then used this access to the production environment to access our customer database.
“At Dropbox, our number one value is to be worthy of trust. We hold ourselves to a high standard when protecting our customers and their content. We didn’t live up to that standard here, and we’re deeply sorry for the impact it caused our customers.”
Recent data breaches
- Australian flag carrier Qantas has apologised after a glitch in its mobile application temporarily enabled some customers to view the flights and booking details of other frequent fliers on two separate occasions.
- UnitedHealth Group CEO Andrew Witty's opening statement for Wednesday's US congressional hearing shed more light on the ransomware attack against Change Healthcare.
- The ICO has urged charities and healthcare organisations that work with people living with HIV to do better when it comes to protecting their personal data, after the HIV status of more than 100 people was exposed in a breach.
Dropbox is now embarking on an “extensive review” to better understand exactly what happened and how, and how to better protect itself in future.
Integrity360 incident response head Patrick Wragg said Dropbox Sign users might think they had a lucky escape because the accessed passwords were hashed, but given the compromise of API keys and other authentication data, there was still reason for concern.
“Take API keys and OAuth tokens, for example,” he said. “These are arguably worse than a password since they allow programmable, scriptable access to the owner’s Dropbox instance. In most instances, the API keys and OAuth tokens are created under a privileged pretence as they’re used for programmable, scripting purposes.
“Therefore, a threat actor can just use the keys/tokens to access the Dropbox account without a username, password and even MFA.”
Socura CEO Andy Kays said: “This looks like a classic case of breach through acquisition. When a large company buys a smaller one, it can throw up major security risks. The most common scenarios are that the acquired company has vulnerabilities, limited security capabilities, or there are compatibility issues as products, technologies, services and teams are integrated. The fact that only the Dropbox Sign product was breached – not the wider business – suggests that a security gap either existed with the HelloSign product at the time of purchase, or developed over time as the company changed and rebranded it.
“Adversaries having access to sensitive documents and a signature service offers tremendous scope for abuse, identity theft, fraud and business email compromise,” he said. “Dropbox users must act as though an attacker has their signature and the ability to sign legal documents in their name. They should change their passwords and enable MFA immediately.”