Cloud storage agency DropBox says hackers breached manufacturing programs for its DropBox Signal eSignature platform and gained entry to authentication tokens, MFA keys, hashed passwords, and buyer data.
DropBox Signal (previously HelloSign) is an eSignature platform permitting prospects to ship paperwork on-line to obtain legally binding signatures.
The corporate says they detected unauthorized entry to DropBox Signal’s manufacturing programs on April 24 and launched an investigation.
This investigation decided that the menace actors gained entry to a Dropbox Signal automated system configuration instrument, which is a part of the platform’s backend companies.
This configuration instrument enabled the menace actor to execute purposes and automatic companies with elevated privileges, permitting the attacker to entry the client database.
“Upon additional investigation, we found {that a} menace actor had accessed information together with Dropbox Signal buyer data corresponding to emails, usernames, cellphone numbers and hashed passwords, along with common account settings and sure authentication data corresponding to API keys, OAuth tokens, and multi-factor authentication,” warns DropBox.
For these customers who used the eSignature platform however didn’t register an account, their e mail addresses and names had been additionally uncovered.
The corporate says they discovered no proof that the menace actors gained entry to prospects’ paperwork or agreements and didn’t entry the platforms of different DropBox companies.
DropBox says that it reset all customers’ passwords, logged out all classes to DropBox Signal, and restricted how API keys can be utilized till they’re rotated by the client.
The corporate has supplied further data within the security advisory on easy methods to rotate API keys to as soon as once more obtain full privileges.
Those that make the most of MFA with DropBox Signal ought to delete the configuration from their authenticator apps and reconfigure it with a brand new MFA key retrieved from the web site.
DropBox says they’re presently emailing all prospects who had been impacted by the incident.
For now, DropBox Signal prospects needs to be looking out for potential phishing campaigns using this information to gather delicate data, corresponding to plaintext passwords.
When you obtain an e mail from DropBox signal asking you to reset your password, don’t observe any hyperlinks within the e mail. As an alternative, go to DropBox Signal straight and reset your password from the positioning.
In 2022, Dropbox disclosed a security breach after menace actors stole 130 code repositories by breaching the corporate’s GitHub accounts utilizing stolen worker credentials.
