Cloud storage companies supplier Dropbox on Wednesday disclosed that Dropbox Signal (previously HelloSign) was breached by unidentified menace actors, who accessed emails, usernames, and common account settings related to all customers of the digital signature product.
The corporate, in a submitting with the U.S. Securities and Trade Fee (SEC), stated it turned conscious of the “unauthorized entry” on April 24, 2024. Dropbox introduced its plans to amass HelloSign in January 2019.
“The menace actor had accessed information associated to all customers of Dropbox Signal, reminiscent of emails and usernames, along with common account settings,” it stated within the Type 8-Ok submitting..
“For subsets of customers, the menace actor additionally accessed cellphone numbers, hashed passwords, and sure authentication data reminiscent of API keys, OAuth tokens, and multi-factor authentication.”
Even worse, the intrusion additionally impacts third-parties who acquired or signed a doc by Dropbox Signal, however by no means created an account themselves, particularly exposing their names and e-mail addresses.
Investigation carried out thus far has uncovered no proof that the attackers accessed the contents of customers’ accounts, reminiscent of agreements or templates, or their cost data. The incident can also be stated to be restricted to Dropbox Signal infrastructure.
The attackers are believed to have gained entry to a Dropbox Signal automated system configuration software and compromised a service account that is a part of Signal’s backend, exploiting the account’s elevated privileges to entry its buyer database.
The corporate, nevertheless, didn’t disclose what number of clients have been affected by the hack, however stated it is within the strategy of reaching out to all impacted customers alongside “step-by-step directions” to guard their data.
“Our security group additionally reset customers’ passwords, logged customers out of any gadgets that they had related to Dropbox Signal, and is coordinating the rotation of all API keys and OAuth tokens,” it stated.
Dropbox additionally stated it is cooperating with legislation enforcement and regulatory authorities on the matter. Additional evaluation of the breach stays ongoing.
The breach is the second such incident to focus on Dropbox inside two years. In November 2022, the corporate divulged it was the sufferer of a phishing marketing campaign that allowed unidentified menace actors to achieve unauthorized entry to 130 of its supply code repositories on GitHub.
