Cloud storage company Dropbox has revealed that hackers infiltrated the production systems of its eSignature platform, Dropbox Sign, and obtained authentication tokens, MFA keys, hashed passwords, and customer data.
Formerly known as HelloSign, Dropbox Sign is a platform enabling customers to digitally send documents for legally binding signatures.
The breach was detected on April 24th, prompting an immediate investigation by the company. It was found that the threat actors accessed a configuration tool within Dropbox Sign's backend services, granting them elevated privileges to execute applications and automated services, consequently accessing the customer database.
In their disclosure, Dropbox cautioned that compromised data included customer information such as emails, usernames, phone numbers, and hashed passwords, along with general account settings and certain authentication details like API keys, OAuth tokens, and multi-factor authentication credentials. Even users who utilized the platform without creating an account had their email addresses and names exposed.
Fortunately, there is no evidence to suggest that the hackers accessed customers' documents or agreements, nor did they breach other Dropbox services.
In response to the breach, Dropbox took swift action, resetting all user passwords, terminating sessions across Dropbox Sign, and imposing restrictions on API key usage until they were rotated by the respective customers. Additional guidance on rotating API keys to restore full privileges has been provided in a security advisory.
Furthermore, users employing multi-factor authentication (MFA) with Dropbox Sign are advised to delete the existing configuration from their authenticator apps and reconfigure it with a new MFA key obtained from the website.
Dropbox is actively communicating with all affected customers via email and advises vigilance against potential phishing attempts leveraging the stolen data to extract sensitive information like plaintext passwords.
To mitigate risks, users are urged not to click on any links in emails purportedly from Dropbox Sign prompting password resets. Instead, they should directly access the platform and reset their passwords from there.
This incident echoes Dropbox's previous security breach in 2022, where threat actors pilfered 130 code repositories by exploiting the company's compromised GitHub accounts through stolen employee credentials.