Dropbox revealed on Wednesday that Dropbox Sign (formerly known as HelloSign) was compromised by unidentified threat actors, who accessed emails, usernames, and general account settings associated with all users of the digital signature product.
The company reported the «unauthorized access» on April 24, 2024, to the US Securities and Exchange Commission (SEC). Dropbox announced its plans to acquire HelloSign in January 2019.
«The threat actor accessed data related to all Dropbox Sign users, such as emails, usernames, and general account settings,» the Form 8-K report stated.
«For subsets of users, the threat actor also accessed phone numbers, hashed passwords, and specific authentication information such as API keys, OAuth tokens, and two-factor authentication.»
Even worse, the intrusion also affects third parties who received or signed a document via Dropbox Sign but never created an account themselves, specifically exposing their names and email addresses.
The investigation found no evidence that the attackers accessed the content of user accounts, such as agreements or templates, nor their payment information. The incident is also believed to be confined to Dropbox Sign‘s infrastructure.
The attackers are believed to have gained access to an automated system configuration tool of Dropbox Sign and compromised a service account that is part of the Sign infrastructure, exploiting the account’s elevated privileges to access its customer database.
However, the company did not disclose how many customers were affected by the hack, but stated it is in the process of reaching out to all affected users along with «step-by-step instructions» to secure their information.
«Our security team also reset user passwords, logged out users on any device they were logged into via Dropbox Sign, and is coordinating the rotation of all API keys and OAuth tokens,» it noted.
Dropbox also stated that it is cooperating with law enforcement and regulatory authorities on the matter. Further analysis of the attack is ongoing.
This incident marks the second security breach for Dropbox in two years. In November 2022, the company disclosed that it fell victim to a phishing campaign that allowed unidentified threat actors to gain unauthorized access to 130 of its code repositories on GitHub.
Vía The Hacker News