Security news that informs and inspires
an abstract map of the world

Attacker Accessed Dropbox Sign User Authentication Data in Recent Intrusion

An unidentified attacker recently gained access to a database that held customer information for Dropbox Sign users, including usernames and emails, and authentication information such as API keys, OAuth tokens, and MFA information.

Dropbox on Wednesday disclosed the breach in a notice to the Securities and Exchange Commission and said that it discovered the intrusion on April 24, but did not say when the attacker gained access or how long the intrusion lasted. The company said that there is no evidence at the moment that the attacker accessed any of Dropbox’s other products or services. The company’s security team has already reset users’ passwords, logged them out of any devices that were signed in to Dropbox Sign and is in the process of rotating API keys and OAuth tokens.

“On April 24th, we became aware of unauthorized access to the Dropbox Sign (formerly HelloSign) production environment. Upon further investigation, we discovered that a threat actor had accessed data including Dropbox Sign customer information such as emails, usernames, phone numbers and hashed passwords, in addition to general account settings and certain authentication information such as API keys, OAuth tokens, and multi-factor authentication,” a Dropbox blog on the incident says.

Dropbox Sign is an online document creation and signing service and was formerly known as HelloSign. Company officials said the infrastructure for Dropbox Sign is largely separated from infrastructure used for other Dropbox services.

The attacker was able to access the customer database by compromising a service account that had a variety of privileges and was able to then access an automated system configuration tool.

“The actor compromised a service account that was part of Sign’s back-end, which is a type of non-human account used to execute applications and run automated services. As such, this account had privileges to take a variety of actions within Sign’s production environment. The threat actor then used this access to the production environment to access our customer database,” the blog says.

In its SEC filing, Dropbox officials said they do not believe this incident will have a material impact on the company’s operations.