Cloud storage companies supplier Dropbox on Wednesday disclosed that Dropbox Signal (previously HelloSign) was breached by unidentified menace actors, who accessed emails, usernames, and basic account settings related to all customers of the digital signature product.
The corporate, in a submitting with the U.S. Securities and Change Fee (SEC), stated it grew to become conscious of the “unauthorized entry” on April 24, 2024. Dropbox introduced its plans to amass HelloSign in January 2019.
“The menace actor had accessed knowledge associated to all customers of Dropbox Signal, resembling emails and usernames, along with basic account settings,” it stated within the Kind 8-Ok submitting..
“For subsets of customers, the menace actor additionally accessed cellphone numbers, hashed passwords, and sure authentication info resembling API keys, OAuth tokens, and multi-factor authentication.”
Even worse, the intrusion additionally impacts third-parties who acquired or signed a doc via Dropbox Signal, however by no means created an account themselves, particularly exposing their names and e mail addresses.
Investigation performed thus far has uncovered no proof that the attackers accessed the contents of customers’ accounts, resembling agreements or templates, or their cost info. The incident can also be stated to be restricted to Dropbox Signal infrastructure.
The attackers are believed to have gained entry to a Dropbox Signal automated system configuration instrument and compromised a service account that is a part of Signal’s backend, exploiting the account’s elevated privileges to entry its buyer database.
The corporate, nonetheless, didn’t disclose what number of prospects have been affected by the hack, however stated it is within the means of reaching out to all impacted customers alongside “step-by-step directions” to guard their info.
“Our safety group additionally reset customers’ passwords, logged customers out of any gadgets that they had linked to Dropbox Signal, and is coordinating the rotation of all API keys and OAuth tokens,” it stated.
Dropbox additionally stated it is cooperating with legislation enforcement and regulatory authorities on the matter. Additional evaluation of the breach stays ongoing.
The breach is the second such incident to focus on Dropbox inside two years. In November 2022, the corporate divulged it was the sufferer of a phishing marketing campaign that allowed unidentified menace actors to realize unauthorized entry to 130 of its supply code repositories on GitHub.