em360tech image

Dropbox is warning customers that their sensitive information may have been exposed following a data breach that saw hackers compromise its e-signature service, Dropbox Sign. 

The incident, which took place in April, allowed hackers to gain access to sensitive account data, including email addresses, usernames, phone numbers, hashed passwords, and authentication data such as API keys, OAuth tokens and multi-factor authentication

Users who only received or signed a document through Sign without creating an account also had their names and email addresses compromised by the breach. But there is no indication that payment information or customers’ signed documents and agreements were exposed. 

Dropbox first detected unauthorized access to Dropbox Sign's production systems on April 24 and launched an investigation. They later determined that the threat actors gained access to a Dropbox Sign automated system configuration tool, which is part of the platform's backend services.

This allowed them to execute applications and automated services with elevated privileges, allowing the attacker to access the customer database.

"Upon further investigation, we discovered that a threat actor had accessed data including Dropbox Sign customer information such as emails, usernames, phone numbers and hashed passwords, in addition to general account settings and certain authentication information such as API keys, OAuth tokens, and multi-factor authentication," warned Dropbox in a statement

dropbox data breach
Dropbox data breach statement. 

"The actor compromised a service account that was part of Sign’s back-end, which is a type of non-human account used to execute applications and run automated services."

“As such, this account had privileges to take a variety of actions within Sign’s production environment. The threat actor then used this access to the production environment to access our customer database,”

‘A lucrative target’

In response to the data breach, Dropbox Dropbox says it has reset all users' passwords, logged out all sessions to Dropbox Sign, and restricted how API keys can be used until they are rotated. 

The company is also advising customers who use an authenticator app for MFA to reset it, and to change passwords on other online services where their Sign password was reused. 

“Large organisations such as Dropbox, will always be a lucrative target in the eyes of cyber criminals due to the amount of sensitive information they hold,” said Stephen Robinson, Senior Threat Intelligence Analyst at WithSecure.

“Authentication processes are put in place to prevent cyber criminals from accessing systems or accounts even when they have stolen credentials, however, the theft of authentication data such as tokens and certificates can allow these security processes to be completely bypassed.”

Protecting against DropBox Data Breach

DropBox says they are currently emailing all customers who were impacted by the incident. For now, DropBox Sign customers should be on the lookout for potential phishing emails using their Dropbox data to collect sensitive information, such as plaintext passwords.

“Whilst the investigation into the breach continues, users should be on the lookout for any potential phishing emails or any other form of unsolicited communication, added Robinson. 

“With the type of data stolen, a cyber attacker could craft extremely plausible, targeted phishing emails, texts, and phone calls.”

If you receive an email from DropBox sign asking you to reset your password, do not follow any links in the email. Instead, visit DropBox Sign directly and reset your password from the site.