Dropbox Sign eSignature Platform’s Security Breach Impacts All Users, Even Those Without Accounts, according to ”cpomagazine.com”.
Popular cloud storage provider Dropbox has suffered a significant security breach impacting all users of its eSignature platform Dropbox Sign (formerly HelloSign).
Dropbox entered the eSignature market in 2019 after acquiring HelloSign, which had 80,000 customers.
According to an 8-K filing with the U.S. Securities and Exchange Commission (SEC), Dropbox detected “unauthorized access” on April 24, 2024.
The San Francisco, California-based company responded by activating its incident response to contain and mitigate the incident and launching an investigation to determine its scope. It also reset users’ passwords, logged out connected devices, and began rotating all API keys and OAuth tokens.
According to its investigation, the cloud storage provider believes the threat actor compromised a Dropbox Sign automated system configuration tool and gained privileges to execute applications in the eSignature’s production environment.
“The actor compromised a service account that was part of Sign’s back-end, which is a type of non-human account used to execute applications and run automated services,” the company said in a data breach notification posted on its website.
The threat actor then used their access to compromise a Dropbox customer database and access personal information, including emails, usernames, phone numbers, and account settings.
Security breach impacts all Dropbox Sign eSignature users.
Dropbox determined that the security breach impacted all its eSignature platform users, including those without an account.
“Upon further investigation, we discovered that the threat actor had accessed data related to all users of Dropbox Sign, such as emails and usernames, in addition to general account settings,” Dropbox told the SEC.
In some cases, the threat actor accessed “phone numbers, hashed passwords, and certain authentication information such as API keys, OAuth tokens, and multi-factor authentication.”
Dropbox disclosed that the eSignature platform’s security breach also exposed the names and email addresses of individuals “who received or signed a document through Dropbox Sign but never created an account.”
Businesses use eSignature platforms such as Dropbox Sign to send highly confidential documents such as agreements, contracts, and transactions. Exposing that information could severely affect their operations and expose them to various cyber risks.
Meanwhile, Dropbox has hired leading forensic experts to assist in understanding the scope of the eSignature platform’s security breach. It has also notified law enforcement and privacy regulatory authorities.
The company will also contact impacted eSignature users and provide “step-by-step instructions” to secure their information.
Other Dropbox services not impacted by security breach
Dropbox has not disclosed the number of users impacted by the eSignature security breach. In 2022, the company had 17.37 million paying customers, primarily small and mid-sized businesses, and 700 million registered users.
Nevertheless, the cloud storage services provider claims that the security breach was limited to the Dropbox Sign infrastructure, which is separate from other Dropbox services.
“Additionally, we believe this incident was limited to Dropbox Sign infrastructure and there is no evidence that the threat actor accessed the production environments of other Dropbox products. We are continuing our investigation,” said the company.
The cloud storage services provider also deeply regretted shattering its customers’ trust after failing to protect their information.
Twice in two years, Dropbox has become the victim of a cyber attack. In November 2022, the cloud storage provider leaked 130 GitHub source code repositories after it fell victim to a phishing attack.
Read the full art. on ”cpomagazine.com”.