If you pay a visit to this link, you’ll see that Cloud storage firm Dropbox has disclosed that hackers breached production systems for its DropBox Sign eSignature platform and gained access to authentication tokens, MFA keys, hashed passwords, and customer information:
On April 24th, we became aware of unauthorized access to the Dropbox Sign (formerly HelloSign) production environment. Upon further investigation, we discovered that a threat actor had accessed data including Dropbox Sign customer information such as emails, usernames, phone numbers and hashed passwords, in addition to general account settings and certain authentication information such as API keys, OAuth tokens, and multi-factor authentication.
For those who received or signed a document through Dropbox Sign, but never created an account, email addresses and names were also exposed. Additionally, if you created a Dropbox Sign or HelloSign account, but did not set up a password with us (e.g. “Sign up with Google”), no password was stored or exposed. We’ve found no evidence of unauthorized access to the contents of customers’ accounts (i.e. their documents or agreements), or their payment information.
From a technical perspective, Dropbox Sign’s infrastructure is largely separate from other Dropbox services. That said, we thoroughly investigated this risk and believe that this incident was isolated to Dropbox Sign infrastructure, and did not impact any other Dropbox products.
Well, that’s pretty bad. But at least they admitted to it rather than kicking that can down the road for as long as they could get away with doing so. Melvin Lammerts, Hacking Lead, Hadrian had this to say:
“Dropbox was upfront about their security breach, which is good. The fact that hackers gained access through a backend service account is worrisome. The leaked customer information could lead to possible account takeovers, highlighting the importance of robust security measures for backend service accounts and effective methods for detecting unusual activity. This incident demonstrates why companies need to be constantly testing their security in all systems, including those not (fully) publicly accessible.”
Ted Miracco, CEO, Approov Mobile Security:
“Considering this is the second breach in two years, a comprehensive security review of Dropbox’s entire ecosystem is advisable. This review should be conducted with external cybersecurity experts to ensure impartiality and a fresh perspective on security challenges. Dropbox has already taken some crucial initial steps such as resetting users’ passwords, logging users out of devices, and rotating API keys and OAuth tokens. These actions are essential to securing accounts and preventing further unauthorized access.”
If you use Dropbox Sign, you might want to put your head on a swivel for the next little while as I am certain that secondary attacks are coming. As for Dropbox, the fact that they put this out there is good. But they will have a lot of questions that they need to answer in the coming days and weeks, along with reassuring their customers that this won’t happen again because they’ve taken all required steps to secure customer data.