Make it critical in Dropbox's e-signature service
Violation of the electronic signature system exposes sensitive data
Dropbox suffered a security breach that exposed sensitive user data of its Dropbox Sign service, including emails, phone numbers and passwords. Measures have been taken to mitigate the problem.
Dropbox recently disclosed a security breach affecting Dropbox Sign, its electronic signature service formerly known as HelloSign. On April 24, 2024, unauthorized access to the system configuration tools used to manage Dropbox Sign was detected. Hackers managed to use these tools to exercise automated controls with elevated privileges, thus gaining access to the platform's customer database.
Details about the information leak
Further investigations clarified the extent of the data leak, showing that the attackers obtained sensitive data of Dropbox Sign users. These include hashed emails, usernames, phone numbers and passwords. Additionally, critical security details such as API keys, OAuth tokens, and multi-factor authentication (MFA) data were compromised.
Risks also extended to unregistered users
More alarming is the fact that not only accounts registered on Dropbox Sign were affected. Individuals who used the service to sign documents without creating an account also had their contact details, such as email addresses and names, exposed. Fortunately, there have been no indications that the signed documents or payment information were accessed by the hackers.
Measures adopted and recommendations for users
To contain the incident, Dropbox immediately reset user passwords, closed all active Dropbox Sign sessions, and limited the use of API keys. Currently, they are notifying all affected users via email. They also advise users to remain vigilant about possible phishing attempts that could exploit the stolen information to obtain additional sensitive data.
Follow us on Threads for more pills like this05/02/2024 18:31
Marco Verro