File hosting service Dropbox has confirmed that attackers have breached the Dropbox Sign production environment and accessed customer personal and authentication information.
“From a technical perspective, Dropbox Sign’s infrastructure is largely separate from other Dropbox services. That said, we thoroughly investigated this risk and believe that this incident was isolated to Dropbox Sign infrastructure, and did not impact any other Dropbox products,” the company shared on Wednesday.
How was Dropbox Sign breached?
Dropbox Sign (formerly HelloSign) is a platform that allows users to sign documents online.
“On April 24th, we became aware of unauthorized access to the Dropbox Sign (formerly HelloSign) production environment,” the company said.
“Based on our investigation, a third party gained access to a Dropbox Sign automated system configuration tool. The actor compromised a service account that was part of Sign’s back-end, which is a type of non-human account used to execute applications and run automated services. As such, this account had privileges to take a variety of actions within Sign’s production environment.”
Which information has been compromised?
Attackers exploited the access they gained to the Dropbox Sign production environment to access the customer database. More specifically, they accessed:
- Dropbox Sign customer and account information: email addresses, usernames, phone numbers and hashed passwords, and general account settings
- Authentication information: API keys, OAuth tokens, and multi-factor authentication
The email addresses and names of users who have received or signed a document through Dropbox Sign (but don’t actually have an account) have also been exposed. Passwords of Dropbox Sign customers who signed up via single sign-on have not been exposed.
“We’ve found no evidence of unauthorized access to the contents of users’ accounts (i.e. their documents or agreements),” Dropbox says, though the investigation is ongoing and that might change.
Advice for affected customers
Dropbox is notifying affected customers and advising them to reset their passwords, rotate API keys, change their password on other accounts if they reused the same password they used for Dropbox Sign, and reset their authenticator app entry. (“If you use SMS you do not need to take any action.”)
Dropbox has expired exposed passwords and logged users out of devices they used to connect to Dropbox Sign, restricted certain functionality of API keys until customers rotate them, and are reviewing this incident “to better understand how this happened, and to protect against this kind of threat in the future.”
Law enforcement and regulatory authorities (including the SEC) have been notified of the incident.