Cloud storage solutions service provider Dropbox on Wednesday disclosed that Dropbox Indication (formerly HelloSign) was breached by unknown threat actors, who accessed e-mails, usernames, and common account configurations connected with all users of the digital signature product or service.
The corporation, in a submitting with the U.S. Securities and Exchange Commission (SEC), explained it turned knowledgeable of the “unauthorized access” on April 24, 2024. Dropbox introduced its plans to obtain HelloSign in January 2019.
“The danger actor experienced accessed facts similar to all users of Dropbox Indication, these types of as e-mails and usernames, in addition to normal account options,” it mentioned in the Form 8-K filing..
Protect and backup your data using AOMEI Backupper. AOMEI Backupper takes secure and encrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper you will never be worried about loosing your data anymore.
Get AOMEI Backupper with 72% discount from an authorized distrinutor of AOMEI: SerialCart® (Limited Offer).
➤ Activate Your Coupon Code
“For subsets of consumers, the risk actor also accessed phone numbers, hashed passwords, and certain authentication data such as API keys, OAuth tokens, and multi-factor authentication.”
Even worse, the intrusion also influences third-events who acquired or signed a document via Dropbox Signal, but never produced an account on their own, specifically exposing their names and email addresses.
Investigation carried out so far has uncovered no evidence that the attackers accessed the contents of users’ accounts, this kind of as agreements or templates, or their payment details. The incident is also stated to be restricted to Dropbox Indicator infrastructure.
The attackers are believed to have acquired accessibility to a Dropbox Indication automatic program configuration instrument and compromised a provider account that is part of Sign’s backend, exploiting the account’s elevated privileges to accessibility its shopper database.
The business, nonetheless, did not disclose how several clients were affected by the hack, but claimed it is in the method of reaching out to all impacted buyers along with “step-by-move guidance” to protect their info.
“Our security crew also reset users’ passwords, logged consumers out of any products they had connected to Dropbox Indicator, and is coordinating the rotation of all API keys and OAuth tokens,” it mentioned.
Dropbox also mentioned it is really cooperating with law enforcement and regulatory authorities on the make a difference. Even more evaluation of the breach continues to be ongoing.
The breach is the 2nd this kind of incident to goal Dropbox within two a long time. In November 2022, the firm divulged it was the target of a phishing campaign that allowed unknown risk actors to gain unauthorized obtain to 130 of its resource code repositories on GitHub.
Identified this short article attention-grabbing? Comply with us on Twitter and LinkedIn to browse a lot more exceptional content material we article.
Some elements of this write-up are sourced from:
thehackernews.com