Dropbox recently reported a significant security breach. The company’s eSignature platform, Dropbox Sign, formerly known as HelloSign, was compromised by hackers who gained access to a wealth of sensitive information. This included authentication tokens, multi-factor authentication keys, hashed passwords, and customer data.
The breach was detected on April 24 when unauthorized access to Dropbox Sign’s production systems was identified. The threat actors had accessed an automated system configuration tool, part of the platform’s backend services. This tool allowed the attacker to execute applications and automated services with elevated privileges, leading to the exposure of the customer database.
The compromised data included Dropbox Sign customer information such as emails, usernames, phone numbers, and hashed passwords. Additionally, general account settings and certain authentication information such as API keys, OAuth tokens, and multi-factor authentication were accessed. For users who used the eSignature platform but did not register an account, their email addresses and names were also exposed.
Despite the severity of the breach, Dropbox has assured that there is no evidence of the attackers gaining access to customers’ documents or agreements. The company has taken immediate steps to mitigate the impact of the breach. This includes resetting all users’ passwords, logging out all sessions to Dropbox Sign, and restricting how API keys can be used until they are rotated by the customer. Other Dropbox services were not impacted. The company is currently reaching out to all customers who were affected by the incident.
Read more at: www.bleepingcomputer.com