Article Details

DropBox says hackers stole customer data, auth secrets from eSignature service. Cloud storage firm DropBox says hackers breached production systems for its DropBox Sign eSignature platform and gained access to authentication tokens, MFA keys, hashed passwords, and customer information. DropBox Sign (formerly HelloSign) is an eSignature platform allowing customers to send documents online to receive legally binding signatures. The company says they detected unauthorized access to DropBox Sign's production systems on April 24 and launched an investigation. This investigation determined that the threat actors gained access to a Dropbox Sign automated system configuration tool, which is part of the platform's backend services. This configuration tool enabled the threat actor to execute applications and automated services with elevated privileges, allowing the attacker to access the customer database. "Upon further investigation, we discovered that a threat actor had accessed data including Dropbox Sign customer information such as emails, usernames, phone numbers and hashed passwords, in addition to general account settings and certain authentication information such as API keys, OAuth tokens, and multi-factor authentication," warns DropBox. For those users who used the eSignature platform but did not register an account, their email addresses and names were also exposed. The company says they found no evidence that the threat actors gained access to customers' documents or agreements and did not access the platforms of other DropBox services. DropBox says that it reset all users' passwords, logged out all sessions to DropBox Sign, and restricted how API keys can be used until they are rotated by the customer. The company has provided additional information in the security advisory on how to rotate API keys to once again receive full privileges. Those who utilize MFA with DropBox Sign should delete the configuration from their authenticator apps and reconfigure it with a new MFA key retrieved from the website. DropBox says they are currently emailing all customers who were impacted by the incident. For now, DropBox Sign customers should be on the lookout for potential phishing campaigns utilizing this data to collect sensitive information, such as plaintext passwords. If you receive an email from DropBox sign asking you to reset your password, do not follow any links in the email. Instead, visit DropBox Sign directly and reset your password from the site.