Dropbox Sign [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11], formerly known as HelloSign, recently experienced a security breach that compromised customer data.
Description
On April 24 [4] [5] [10], unauthorized access was gained to a service account with elevated privileges in the production environment of Dropbox Sign. This breach exposed various customer data, including email addresses [4] [6] [7], usernames [1] [2] [3] [4] [5] [6] [7] [9] [10] [11], phone numbers [1] [3] [4] [5] [6] [7] [9] [10] [11], hashed passwords [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11], account settings [1] [5] [6], API keys [1] [3] [5] [6] [7] [9] [10] [11], OAuth tokens [1] [3] [5] [6] [7] [10] [11], and multi-factor authentication details [1] [3] [6] [8] [10]. Names and email addresses of users who received or signed documents through Dropbox Sign were also compromised [6]. However, customer account contents and payment information were not accessed [1]. The security team at Dropbox Sign responded promptly by resetting passwords, logging users out of connected devices [1] [7] [8] [10] [11], and rotating all API keys and OAuth tokens to mitigate the impact of the breach [7]. Precautionary measures have been implemented to address potential phishing risks, and users are advised to delete and reset their MFA configurations and be cautious of suspicious emails [1]. The incident has been reported to data protection regulators and law enforcement [7], and affected customers are being contacted with instructions on how to protect their data [10]. Dropbox Sign is conducting a thorough review of the incident to prevent similar threats in the future [10]. Customers impacted by the breach expressed hope that stronger security measures would be implemented. The breach was limited to the Dropbox Signature environment and is not expected to have a material impact on business operations [5]. Dropbox acquired HelloSign in 2019 for $230 million [5], but the number of affected customers was not disclosed [5]. Users are advised to change passwords used for other accounts and consider using a password manager for security [2].
Conclusion
The security breach at Dropbox Sign has led to the implementation of precautionary measures, prompt responses, and a thorough review to prevent similar threats in the future. Customers are advised to take necessary steps to protect their data and consider stronger security measures. The impact of the breach is not expected to significantly affect business operations, and efforts are being made to enhance security measures moving forward.
References
[1] https://www.techradar.com/pro/security/dropbox-confirms-esign-tool-hit-by-major-data-breach-confirms-customer-info-leaked
[2] https://tech.co/news/dropbox-data-breach-check-affected
[3] https://www.crn.com/news/security/2024/dropbox-says-esignature-service-was-hacked-authentication-data-accessed
[4] https://www.csoonline.com/article/2097486/dropbox-sign-hack-exposed-user-data-raises-security-concerns-for-e-sign-industry.html
[5] https://www.techtarget.com/searchsecurity/news/366583233/Dropbox-discloses-data-breach-involving-Dropbox-Sign
[6] https://www.helpnetsecurity.com/2024/05/02/dropbox-sign-breached/
[7] https://www.malwarebytes.com/blog/news/2024/05/dropbox-sign-customer-data-accessed-in-breach
[8] https://www.forbes.com/sites/daveywinder/2024/05/02/dropbox-warns-hacker-accessed-customer-passwords-and-mfa-data/
[9] https://www.infosecurity-magazine.com/news/security-breach-dropbox-sign/
[10] https://sign.dropbox.com/blog/a-recent-security-incident-involving-dropbox-sign
[11] https://www.darkreading.com/application-security/dropbox-breach-exposes-customer-credentials-authentication-data
