Make it critical in Dropbox's e-signature service

Dropbox recently disclosed a security breach affecting Dropbox Sign, its electronic signature service formerly known as HelloSign. On April 24, 2024, unauthorized access to the system configuration tools used to manage Dropbox Sign was detected. Hackers managed to use these tools to exercise automated controls with elevated privileges, thus gaining access to the platform's customer database.

Details about the information leak

Further investigations clarified the extent of the data leak, showing that the attackers obtained sensitive data of Dropbox Sign users. These include hashed emails, usernames, phone numbers and passwords. Additionally, critical security details such as API keys, OAuth tokens, and multi-factor authentication (MFA) data were compromised.

Risks also extended to unregistered users

More alarming is the fact that not only accounts registered on Dropbox Sign were affected. Individuals who used the service to sign documents without creating an account also had their contact details, such as email addresses and names, exposed. Fortunately, there have been no indications that the signed documents or payment information were accessed by the hackers.

Measures adopted and recommendations for users

To contain the incident, Dropbox immediately reset user passwords, closed all active Dropbox Sign sessions, and limited the use of API keys. Currently, they are notifying all affected users via email. They also advise users to remain vigilant about possible phishing attempts that could exploit the stolen information to obtain additional sensitive data.