Dropbox, the popular cloud-based file storage and sharing service, on Wednesday filed a breach disclosure with the US Securities and Exchange Commission (SEC) stating that Dropbox Sign user info has been compromised.
The San Francisco-headquartered company also posted a blog on its website alerting customers to the breach.
“On April 24th, we became aware of unauthorized access to the Dropbox Sign (formerly HelloSign) production environment. Upon further investigation, we discovered that a threat actor had accessed Dropbox Sign customer information,” Dropbox stated.
The company said the threat actors were able to gain access to personal data such as “emails, usernames, phone numbers, and hashed passwords, in addition to general account settings and certain authentication information such as API keys, OAuth tokens, and multi-factor authentication.”
Dropbox Sign is a service that allows individuals and businesses to sign, send, and track contracts and other documents using embedded eSignatures. In 2022, Dropbox quarterly reports showed the file hosting service had more than 700 million registered users across approximately 180 countries.
Its not clear how many Dropbox Sign users there are, but all Dropbox tier plans, including the free plan and business plan, include the Sign service.
According to the SEC 8K filing, as of this report, there has been no evidence the customer account information – including contract agreements or templates, and payment information – has been accessed by the unknown threat actor.
Furthermore, Dropbox states that the breach was limited to the Dropbox Sign infrastructure, and that other Dropbox products have not been impacted.
Dropbox customer database accessed
Investigators say the unauthorized third party gained access to the Sign environment using a Dropbox Sign automated system configuration tool.
“The actor compromised a service account that was part of Sign’s back-end, which is a type of non-human account used to execute applications and run automated services,” the filing stated.
Once in, the threat actor was able to use the compromised service account to escalate privileges within Sign’s production environment to access the customer database.
The company said it is now “in the process of reaching out to all impacted users… with step-by-step instructions on how to further protect their data.”
To help protect user data, Dropbox said its security team have:
- Reset all user passwords
- Logged users out of any devices connected to Dropbox Sign
- Rotating all API keys and OAuth tokens
The company notes that individual email addresses and names were also exposed for those who have used the service to receive or sign a document, even if they never created an account.
“At Dropbox, our number one value is to be worthy of trust. We hold ourselves to a high standard when protecting our customers and their content. We didn’t live up to that standard here, and we’re deeply sorry for the impact it caused our customers,” the company said .
Dropbox said it has been working around the clock with outside forensic security investigators, remediation efforts are ongoing, and law enforcement have been notified.
Your email address will not be published. Required fields are markedmarked