Dive Brief:
- Dropbox Sign was hit by a cyberattack that exposed data on all of its users, Dropbox said Wednesday in a filing with the Securities and Exchange Commission. An attacker accessed an automated system configuration tool that provided additional privileges to the electronic signature platform’s production environment.
- An attacker accessed a trove of user data and authentication information, including API keys, OAuth tokens, multifactor authentication details, hashed passwords, emails, usernames and phone numbers, the company said. The Dropbox Sign compromise even impacted individuals who never created an account but received or signed a document through the platform, exposing their email addresses and names.
- “There is no evidence that the threat actor accessed the contents of users’ accounts, such as their agreements or templates, or their payment information,” the file-hosting service provider said. “Additionally, we believe this incident was limited to Dropbox Sign infrastructure and there is no evidence that the threat actor accessed the production environments of other Dropbox products.”
Dive Insight:
The company said it became aware of unauthorized access to Dropbox Sign on April 24 and immediately responded with the assistance of third-party forensic experts to investigate, contain and remediate the intrusion.
“The actor compromised a service account that was part of Sign’s backend, which is a type of non-human account used to execute applications and run automated services,” Dropbox said in a blog post. “As such, this account had privileges to take a variety of actions within Sign’s production environment. The threat actor then used this access to the production environment to access our customer database.”
Dropbox’s security team reset users’ passwords and began rotating all API keys and OAuth tokens, the company said.
“This breach is especially significant since API keys and OAuth tokens were compromised,” Ray Kelly, fellow at Synopsys Software Integrity Group, said via email.
“Oftentimes, API keys are static and do not change so that organizations can automate their processes around their services. When these keys are compromised, a malicious actor can gain access to services that can be sensitive or cause monetary consequences for the victim.”
Dropbox said it doesn’t expect the attack to have a material impact on its business operations, but framed that assessment around its current understanding of the attack and its presumed containment to Dropbox Sign infrastructure.
Dropbox acquired the platform, then operating as HelloSign, for $230 million in early 2019. The company was founded in 2010.