Dropbox data breach exposes all Dropbox Sign users

Dropbox data breach exposes all Dropbox Sign users

Dropbox data breach exposes all Dropbox Sign users

The popular online storage solution has revealed details of a cyber incident that exposed user data and authentication keys.

Online storage provider Dropbox has revealed details of a cyberattack on its e-signature and workflow solution Dropbox Sign that has affected all users of the application.

Dropbox disclosed details of the incident in a filing with the U.S. Securities and Exchange Commission on April 29 and in a blog post on May 1.

According to the filing, Dropbox became aware of “unauthorized access to the Dropbox Sign (formerly HelloSign) production environment” on April 24.

“We immediately activated our cybersecurity incident response process to investigate, contain, and remediate the incident,” Dropbox’s Form 8-K said.

“Upon further investigation, we discovered that the threat actor had accessed data related to all Dropbox Sign users, such as emails and usernames, in addition to general account settings.”

A “subset of users” also had their hashed passwords, phone numbers, API keys, OAuth tokens, and multi-factor authentication details accessed. Fortunately, as far as Dropbox knows, the threat actor did not access the content of users’ accounts.

“Furthermore, we believe this incident was limited to the Dropbox Sign infrastructure and there is no evidence that the threat actor accessed the production environments of other Dropbox products. “We are continuing our investigation,” Dropbox said.

Authorities have been informed and Dropbox is working with “industry-leading forensic investigators” to investigate the incident.

The blog post reiterates much of what was said in the presentation, although it adds one worrying detail: even the data of people who have just signed a document without setting up a Dropbox Sign account has been accessed.

“For those who received or signed a document through Dropbox Sign but never created an account, email addresses and names were also exposed,” Dropbox said in its blog post.

There’s at least some good news about the hack: It doesn’t appear to have affected Dropbox storage itself.

“From a technical perspective, the Dropbox Sign infrastructure is largely separate from other Dropbox services,” Dropbox said.

“That said, we thoroughly investigated this risk and believe this incident was isolated to the Dropbox Sign infrastructure and did not impact any other Dropbox products.”

Dropbox is in the process of contacting affected customers and has already reset user passwords and signed all users out of Dropbox Sign, as well as “coordinating the rotation of all API keys and OAuth tokens.”

Leave a Reply

Your email address will not be published. Required fields are marked *