Cloud storage companies provider Dropbox on Wednesday disclosed that Dropbox Sign (previously HelloSign) was breached by unknown threat actors, who accessed e-mail, usernames, and standard account options related with all customers of the electronic signature product.
The firm, in a filing with the U.S. Securities and Trade Fee (SEC), claimed it became aware of the “unauthorized accessibility” on April 24, 2024. Dropbox declared its plans to acquire HelloSign in January 2019.
“The danger actor had accessed facts associated to all consumers of Dropbox Sign, such as emails and usernames, in addition to common account settings,” it stated in the Sort 8-K filing..
“For subsets of end users, the danger actor also accessed phone figures, hashed passwords, and particular authentication data such as API keys, OAuth tokens, and multi-variable authentication.”
Even even worse, the intrusion also influences 3rd-events who been given or signed a doc as a result of Dropbox Signal, but by no means created an account by themselves, specially exposing their names and email addresses.
Investigation executed so considerably has uncovered no evidence that the attackers accessed the contents of users’ accounts, this sort of as agreements or templates, or their payment information and facts. The incident is also stated to be restricted to Dropbox Indicator infrastructure.
The attackers are considered to have obtained accessibility to a Dropbox Signal automated system configuration device and compromised a support account that’s portion of Sign’s backend, exploiting the account’s elevated privileges to entry its customer database.
The organization, nonetheless, did not disclose how a lot of customers had been afflicted by the hack, but mentioned it really is in the procedure of reaching out to all impacted users along with “stage-by-step guidance” to shield their details.
“Our security staff also reset users’ passwords, logged users out of any equipment they had connected to Dropbox Indication, and is coordinating the rotation of all API keys and OAuth tokens,” it stated.
Dropbox also said it is really cooperating with law enforcement and regulatory authorities on the matter. Additional investigation of the breach stays ongoing.
The breach is the second this sort of incident to target Dropbox in just two yrs. In November 2022, the enterprise divulged it was the victim of a phishing marketing campaign that permitted unidentified danger actors to obtain unauthorized obtain to 130 of its resource code repositories on GitHub.
Found this article interesting? Abide by us on Twitter and LinkedIn to go through a lot more exclusive written content we submit.
Some parts of this article are sourced from:
thehackernews.com