E-signature service providers DropBox Sign suffered a cyberattack recently, in which hackers stole some seriously sensitive customer information.
As per the data breach notification published on the DropBox Sign website, an unidentified threat actor managed to compromise a service account that was part of the product’s back-end. The company did not detail exactly how the account was compromised, but it did describe it as a “non-human account used to execute applications and run automated services.”
This account has elevated privileges, which the attacker used to access the production environment, and through it, the customer database.
Responding to the incident
The information within the database includes people’s emails, usernames, phone numbers, hashed passwords, general account settings, API keys, OAuth tokens, and multi-factor authentication (MFA). Even those who never registered an account, but received or signed a document through the service, have had their email addresses and names exposed.
There is no evidence that the attackers accessed the contents of customer accounts, or payment information, DropBox confirmed.
The company discovered the breach on April 24, it further explained. In response, it reset user passwords, logged people out of all of their connected devices, and is currently coordinating the rotation of all API keys and OAuth tokens.
The incident has been reported to the police, DropBox concluded.
If you are a DropBox Sign user, you should delete the MFA configuration from your authenticator apps, and set up the feature again. Also, be on the lookout for any suspicious emails, claiming to come from DropBox Sign, especially if they are demanding urgent action (for example, urgent password resetting). Instead, make sure to visit the DropBox Sign site manually, and reset your login credentials there.
DropBox Sign prepared a customer FAQ list here, which includes details on how to rotate API keys.
