Dropbox Discloses Breach of Digital Signature Service Affecting All Users

Cloud storage solutions service provider Dropbox on Wednesday disclosed that Dropbox Indication (formerly HelloSign) was breached by unknown threat actors, who accessed e-mails, usernames, and common account configurations connected with all users of the digital signature product or service.

The corporation, in a submitting with the U.S. Securities and Exchange Commission (SEC), explained it turned knowledgeable of the “unauthorized access” on April 24, 2024. Dropbox introduced its plans to obtain HelloSign in January 2019.

“The danger actor experienced accessed facts similar to all users of Dropbox Indication, these types of as e-mails and usernames, in addition to normal account options,” it mentioned in the Form 8-K filing..

✔ Approved Seller From Our Partners

Protect your privacy by Mullvad VPN. Mullvad VPN is one of the famous brands in the security and privacy world. With Mullvad VPN you will not even be asked for your email address. No log policy, no data from you will be saved. Get your license key now from the official distributor of Mullvad with discount: SerialCart® (Limited Offer).

➤ Get Mullvad VPN with 12% Discount

“For subsets of consumers, the risk actor also accessed phone numbers, hashed passwords, and certain authentication data such as API keys, OAuth tokens, and multi-factor authentication.”

Even worse, the intrusion also influences third-events who acquired or signed a document via Dropbox Signal, but never produced an account on their own, specifically exposing their names and email addresses.

Investigation carried out so far has uncovered no evidence that the attackers accessed the contents of users’ accounts, this kind of as agreements or templates, or their payment details. The incident is also stated to be restricted to Dropbox Indicator infrastructure.

The attackers are believed to have acquired accessibility to a Dropbox Indication automatic program configuration instrument and compromised a provider account that is part of Sign’s backend, exploiting the account’s elevated privileges to accessibility its shopper database.

The business, nonetheless, did not disclose how several clients were affected by the hack, but claimed it is in the method of reaching out to all impacted buyers along with “step-by-move guidance” to protect their info.

“Our security crew also reset users’ passwords, logged consumers out of any products they had connected to Dropbox Indicator, and is coordinating the rotation of all API keys and OAuth tokens,” it mentioned.

Dropbox also mentioned it is really cooperating with law enforcement and regulatory authorities on the make a difference. Even more evaluation of the breach continues to be ongoing.

The breach is the 2nd this kind of incident to goal Dropbox within two a long time. In November 2022, the firm divulged it was the target of a phishing campaign that allowed unknown risk actors to gain unauthorized obtain to 130 of its resource code repositories on GitHub.

Identified this short article attention-grabbing? Comply with us on Twitter  and LinkedIn to browse a lot more exceptional content material we article.