Cloud storage companies supplier Dropbox on Wednesday disclosed that Dropbox Signal (previously HelloSign) was breached by unidentified menace actors, who accessed emails, usernames, and normal account settings related to all customers of the digital signature product.
The corporate, in a submitting with the U.S. Securities and Trade Fee (SEC), mentioned it turned conscious of the “unauthorized entry” on April 24, 2024. Dropbox introduced its plans to amass HelloSign in January 2019.
“The menace actor had accessed information associated to all customers of Dropbox Signal, akin to emails and usernames, along with normal account settings,” it mentioned within the Kind 8-Ok submitting..
“For subsets of customers, the menace actor additionally accessed cellphone numbers, hashed passwords, and sure authentication info akin to API keys, OAuth tokens, and multi-factor authentication.”
Even worse, the intrusion additionally impacts third-parties who acquired or signed a doc by means of Dropbox Signal, however by no means created an account themselves, particularly exposing their names and e mail addresses.
Investigation carried out up to now has uncovered no proof that the attackers accessed the contents of customers’ accounts, akin to agreements or templates, or their cost info. The incident can also be mentioned to be restricted to Dropbox Signal infrastructure.
The attackers are believed to have gained entry to a Dropbox Signal automated system configuration software and compromised a service account that is a part of Signal’s backend, exploiting the account’s elevated privileges to entry its buyer database.
The corporate, nonetheless, didn’t disclose what number of prospects have been affected by the hack, however mentioned it is within the strategy of reaching out to all impacted customers alongside “step-by-step directions” to guard their info.
“Our safety staff additionally reset customers’ passwords, logged customers out of any units they’d linked to Dropbox Signal, and is coordinating the rotation of all API keys and OAuth tokens,” it mentioned.
Dropbox additionally mentioned it is cooperating with regulation enforcement and regulatory authorities on the matter. Additional evaluation of the breach stays ongoing.
The breach is the second such incident to focus on Dropbox inside two years. In November 2022, the corporate divulged it was the sufferer of a phishing marketing campaign that allowed unidentified menace actors to realize unauthorized entry to 130 of its supply code repositories on GitHub.
