Dropbox warns about a Dropbox Sign breach

Dropbox has shared a report on a data breach in the Dropbox Sign e-signature service. What does this mean for consumers, and what should they do?

Dropbox has shared the results of its investigation into the hacking of its infrastructure. The company did not specify when the incident actually occurred, saying only that the attack was witnessed by company employees on April 24. Here, we explain what happened, what data was leaked, and how to protect yourself and your company from the consequences. incident.

Dropbox Sign hack: how it happened and what data was stolen

Unknown attackers have managed to compromise a Dropbox Sign service account, thereby gaining access to the platform’s internal automatic configuration mechanism. Using this access, hackers were able to get their hands on a database that contained information about Dropbox Sign users.

As a result, the following data of registered users of the Sign Service was stolen:

username;
email addresses;
Phone numbers;
passwords (hashed);
authentication keys for the Dropbox Sign API;
OAuth authentication tokens;
SMS and application two-factor authentication token.
If users of the service interacted with it without creating an account, only their names and email addresses were leaked.

Dropbox claims it found no signs of unauthorized access to user accounts, including documents and contracts, as well as payment information.

As a security measure, Dropbox resets all Dropbox Sign account passwords and terminates all active sessions, so you’ll need to log in to the service again and set a new password.

Does the Dropbox Sign hack affect all Dropbox users?

Dropbox Sign, formerly known as HelloSign, is Dropbox’s standalone cloud document workflow tool, primarily used for signing electronic documents. The closest analogues to this service are DocuSign and Adobe Sign.

As the company emphasizes in its statement, Dropbox Sign’s infrastructure is “substantially separate from other Dropbox services.” Judging by the results of the company’s investigation, the Dropbox Sign hack was an isolated incident and did not affect other Dropbox products. Thus, according to the information we have now, it does not pose any threat to users of the company’s main service, Dropbox cloud file storage. This is also true for users whose Sign account was linked to their main Dropbox account.

What should you do about Dropbox Sign being hacked?

Dropbox has already reset the passwords for all Dropbox Sign accounts. So you have to change the password anyway. We recommend using a brand new password rather than a slightly modified version of the old password. Ideally, you should generate a long random string of characters using a password manager and store it there.

Since the two-factor authentication tokens were also stolen, you must reset them as well. If you used SMS, the reset was done automatically. And if you use an application, you have to do it yourself. To do this, go through the process of re-registering your authentic app with the Dropbox Sign service.

The list of data stolen by the hackers also includes authentication keys for the Dropbox Sign API. So if your company used this tool via API, you need to generate a new key.

Finally, if you’ve used the same password on other services, you should change it as soon as possible – especially if it’s associated with the same username, email address, or phone number you used. stated while registering for Dropbox Sign. Again, this is easy to do using our password manager, which, by the way, is part of our security solutions for small businesses.

Leave a Comment