Cloud storage agency DropBox says hackers breached manufacturing techniques for its DropBox Signal eSignature platform and gained entry to authentication tokens, MFA keys, hashed passwords, and buyer info.
DropBox Signal (previously HelloSign) is an eSignature platform permitting clients to ship paperwork on-line to obtain legally binding signatures.
The corporate says they detected unauthorized entry to DropBox Signal’s manufacturing techniques on April 24 and launched an investigation.
This investigation decided that the risk actors gained entry to a Dropbox Signal automated system configuration instrument, which is a part of the platform’s backend providers.
This configuration instrument enabled the risk actor to execute functions and automatic providers with elevated privileges, permitting the attacker to entry the shopper database.
“Upon further investigation, we discovered that a threat actor had accessed data including Dropbox Sign customer information such as emails, usernames, phone numbers and hashed passwords, in addition to general account settings and certain authentication information such as API keys, OAuth tokens, and multi-factor authentication,” warns DropBox.
For these customers who used the eSignature platform however didn’t register an account, their e mail addresses and names have been additionally uncovered.
The corporate says they discovered no proof that the risk actors gained entry to clients’ paperwork or agreements and didn’t entry the platforms of different DropBox providers.
DropBox says that it reset all customers’ passwords, logged out all classes to DropBox Signal, and restricted how API keys can be utilized till they’re rotated by the shopper.
The corporate has offered further info within the safety advisory on easy methods to rotate API keys to as soon as once more obtain full privileges.
Those that make the most of MFA with DropBox Signal ought to delete the configuration from their authenticator apps and reconfigure it with a brand new MFA key retrieved from the web site.
DropBox says they’re at present emailing all clients who have been impacted by the incident.
For now, DropBox Signal clients ought to be looking out for potential phishing campaigns using this knowledge to gather delicate info, reminiscent of plaintext passwords.
In the event you obtain an e mail from DropBox signal asking you to reset your password, don’t comply with any hyperlinks within the e mail. As an alternative, go to DropBox Signal immediately and reset your password from the positioning.
In 2022, Dropbox disclosed a safety breach after risk actors stole 130 code repositories by breaching the corporate’s GitHub accounts utilizing stolen worker credentials.
