HQ/EMEAFind out how we can help your business
DropBox claims hackers breached its production systems for its Sign eSignature technology, allowing them to access its authentication tokens, MFA keys, hashed passwords, and customer data.
DropBox Sign is an eSignature platform that allows clients to send documents online and generate legally binding signatures. The affected platform stated that it discovered unauthorised access to DropBox Sign’s production systems on April 24 and initiated an investigation.
The DropBox Sign system is in the backend part of the platform’s services.
According to investigations, the threat actors acquired access to the DropBox Sign automatic system setup tool, part of the platform’s backend services. This setup tool enabled the threat actor to run apps and automated services with elevated privileges, providing the attacker access to the customer database.
In addition, the company discovered that the hackers had accessed customer information such as emails, usernames, and phone numbers and hashed passwords in DropBox Sign. The researchers also warned users that the threat actors have also landed on the general account settings and certain authentication information such as API keys, OAuth tokens, and multi-factor authentication.
Users who utilised the eSignature platform but did not create an account had their email addresses and names exposed. Fortunately, there is no evidence that the threat actors gained access to clients’ documents or agreements, nor did they access the platforms of other DropBox providers.
As of now, DropBox claims that it resets all user passwords, logs out all sessions, and limits how API keys can be used. The organisation has included further information about rotating API keys to regain full privileges in the security notice.
However, those who use MFA with the eSignature platform should remove the configuration from their authenticator apps and reconfigure them with a new MFA key obtained from the website.
Customers should keep on the lookout for any phishing attempts that use this data to gather sensitive information, such as unencrypted passwords. The company urges recipients of the notification emails to reset their passwords and not click any of the links in the email to avoid falling victim to hackers that exploit such incidents.
