Dropbox Sign, Dropbox’s digital signature service, has been hacked. According to the online storage specialist, criminals captured various types of personal data and end-user authentication information during this attack, as well as API keys, OAuth tokens, and multi-factor authentication data.
According to Dropbox, it was discovered on April 24 that cybercriminals gained access to various data of all Dropbox Sign users. This included users who received a document through this digital signature service but did not have an account.
During the attack, the cybercriminals accessed an automated configuration tool for the service. They gained this access through a compromised automated (i.e., non-human service account) that was part of Dropbox Sign’s back-end environment. This account is used to run applications and automated services.
Because of this functionality, the account possessed various privileges for actions within the Dropbox Sign production environment. In this way, the cybercriminals could easily gain access to that environment and its customer database.
Personal data captured
The attack eventually compromised personal data from end users, including emails, user names, and general account settings. The cybercriminals also stole hashed passwords and phone numbers from a small portion of end users.
In addition, they obtained authentication data such as API keys, OAuth tokens, and multi-factor authentication data. According to Dropbox, hackers did not access personal content or financial information in accounts.
The company further states that Dropbox Sign’s infrastructure is largely separate from its other infrastructure. As a result, the fallout from the attack is expected to be limited to the digital signature environment.
Measures taken
Dropbox says it is taking the attack on its systems extremely seriously and has notified the relevant data protection authorities. As a solution, all end-user passwords were reset, and users were automatically logged out of Dropbox Sign on all devices connected to the service. Furthermore, Dropbox ensures that all API keys and OAuth tokens are rotated.
Finally, further investigation is underway into how the incident could have occurred. With the conclusions of this investigation, Dropbox will modify its digital signature service to prevent the incident from recurring.
Also read: Cybercriminals steal 130 GitHub repositories through Dropbox account