On April 24th 2024, Dropbox discovered unauthorized access to the production environments of Dropbox Sign after launching an investigation into a potential security issue.
What Happened in the Dropbox Sign Breach?
Dropbox Sign, formerly known as HelloSign, is an eSignature platform owned by Dropbox that allows users to send, sign and store documents online without leaving the Dropbox platform.
Upon investigation, Dropbox found that a threat actor had gained access to Dropbox Sign customer data including emails, usernames, phone numbers, and hashed passwords.
The attacker also accessed general account settings and authentication information such as API keys, OAuth tokens, and multi-factor authentication (MFA) setups.
For users who received or signed documents through Dropbox Sign but did not create an account, their email addresses and names were exposed as well.
How Did Hackers Breach Dropbox Sign’s Systems?
Dropbox determined that the threat actor had compromised a service account within Dropbox Sign’s backend infrastructure that was used to automate applications and services.
As this was a non-human account, it had elevated privileges to take actions within the production environment.
The attacker leveraged this compromised account to access Dropbox Sign’s customer database and steal user information.
“Upon further investigation, we discovered that a threat actor had accessed data including Dropbox Sign customer information such as emails, usernames, phone numbers and hashed passwords, in addition to general account settings and certain authentication information such as API keys, OAuth tokens, and multi-factor authentication,”
warns DropBox.
Dropbox’s Response and Advice for Impacted Users
Immediately after discovering the Dropbox sign breach caused by unauthorized access, Dropbox reset all Dropbox Sign user passwords, logged out connected devices, and is coordinating the rotation of API keys and OAuth tokens.
The company also reported the incident to relevant authorities. While no evidence was found of access to user documents or payment information, Dropbox is still investigating further.
Dropbox advised affected users to reset their Sign passwords, delete and reconfigure MFA authenticator apps, and rotate API keys if used for integrations.
Users should also be vigilant against potential phishing attempts utilizing stolen data and change passwords for any other accounts if the same credentials were reused.
Dropbox continues working to contact all impacted users directly within the next week.
In response to the Dropbox sign data breach, the company has provided more information in a security advisory on how to rotate API keys to receive full privileges.
Lessons from the Dropbox Sign Breach
The Dropbox sign security incident poses privacy and security risks for Dropbox Sign customers.
An estimated millions of user records were potentially exposed, containing personal information like phone numbers.
As Dropbox Sign is designed for businesses to securely handle important agreements and contracts digitally, a data breach undermines trust in the platform.
Further questions also remain around how long the attackers had access before being detected.
Security best practices could be improved to reduce privileges for non-human accounts and better monitor for anomalies.
While separate infrastructures protected other Dropbox products, the company faces a reputational challenge after failing to safeguard Sign user data.
The Dropbox Sign breach demonstrates that even large, trusted companies must constantly work to strengthen security defenses against evolving threats.
If you have more questions regarding the Dropbox Data Breach or how to secure your data, visit FAQ section in the original blog post on this by Dropbox