Breach Notification
,
Incident & Breach Response
,
Security Operations
All Dropbox Sign Users’ Emails Stolen, Plus Some MFA and OAuth Tokens, API Keys
File storage and sharing giant Dropbox said hackers breached its infrastructure and stole swaths of customer data, including authentication tokens for its legally binding electronic signature service.
See Also: Jumpstarting Digital Forensic Investigations
Dropbox first detected a breach of its Dropbox Sign – formerly known as HelloSign – production environment on April 24, it told investors in a Form 8-K filed Wednesday to the U.S. Securities and Exchange Commission.
A hacker stole all Dropbox Sign users’ emails, usernames, phone numbers and hashed passwords, as well as authentication information, including multifactor authentication tokens, API keys and OAuth tokens, said the publicly traded, San Francisco-based company. The breach also exposed names and emails addresses for non-accountholders, including anyone who’s ever signed or received a document via Dropbox Sign.
The company, which reported $2.5 billion in 2023 revenue, bills Dropbox Sign as being “trusted by millions of users to manage signed documents, request signatures, and create documents for signing securely online.” The service, for creating legally binding e-signatures, is used for everything from closing sales deals, to mortgage signing, to human resources onboarding.
The company’s investigation into the breach remains ongoing – it hasn’t yet detailed when it believes the intrusion began – but investigators believe hackers only penetrated the Dropbox Sign infrastructure, and not systems tied to any other products, such as its file-sharing service.
In addition, “we’ve found no evidence of unauthorized access to the contents of customers’ accounts (i.e. their documents or agreements), or their payment information,” Dropbox said in a Wednesday blog post.
The attacker appeared to first compromise a service account, gaining full access privileges to Dropbox Sign – including the ability to run applications and automated services – and “then used this access to the production environment to access our customer database,” Dropbox said.
Attackers could potentially use the stolen keys and tokens as part of a supply-chain attack to access or log into Dropbox Sign with the user’s identity and permissions and sign legally binding documents in their name, or steal confidential document information and hold it to ransom. The Dropbox Sign website notes that “eSignatures from Dropbox Sign are legally binding under the ESIGN Act of 2000, providing the same legal standing as pen and paper alternatives,” and that “a non-editable audit trail is affixed to each and every Dropbox Sign signature request, ensuring that every action is fully tracked and time-stamped.”
As a result of the breach, the company has reset all Dropbox Sign users’ passwords and logged them out of any devices that remained connected to the service via an MFA token. “Customers who use an authenticator app for multifactor authentication should reset it,” it said. “Please delete your existing entry and then reset it. If you use SMS you do not need to take any action.”
Dropbox has begun directly contacting organizations who will need to change their API keys and OAuth tokens to offer “step-by-step instructions,” saying it expects to conclude that notification process by May 8. The company has restricted API functionality, telling users that “only signature requests and signing capabilities will continue to be operational for your business continuity” until they change their API key, at which point full functionality will be restored.
The company warned any user who reused their Dropbox Sign password elsewhere to immediately change it to a new, unique password, and also recommended that they enable MFA for every one of their accounts that offers it.
What impact this breach might have on customers’ perception of the service remains unclear. As the service’s website states: “Security is hugely important for us here at Dropbox Sign, and we want users to be confident that sensitive documents carry both trust and legality.”
This isn’t Dropbox’s first data breach. In late 2022, the company said its employees had fallen for a well-crafted phishing campaign that gave hackers access to internal code repositories and some personally identifying information. The company said the breached GitHub code repositories weren’t then being protected using MFA, which it promised to rectify (see: Dropbox Data Breach Another Multifactor Fail).
The company also disclosed a major breach in 2016, warning that it believed that in 2012, an attacker stole a set of customer credentials, and warning any user who hadn’t changed their password since 2012 to do so immediately. Subsequently, security researchers reported seeing 69 million Drobox user accounts – including email addresses and hashed passwords – in circulation, potentially due to that breach (see: Dropbox’s Big, Bad, Belated Breach Notification).