Dropbox Sign Hacked: API Keys, MFA, and Hashed Passwords Compromised

Highlights:

Dropbox Sign, a service under Dropbox, faced a significant security breach.
Unauthorized access was detected in the Dropbox Sign production environment, potentially exposing sensitive user data.
The breach, discovered on April 24, originated from a compromised service account within Dropbox Sign’s backend system.
In response, Dropbox took immediate measures like password resets, logouts from connected devices, and key/token rotations.
While no unauthorized access to user account contents or payment details was reported, Dropbox remains vigilant and committed to enhancing security protocols.
Users were promptly notified and provided with guidance on securing their accounts, while Dropbox’s security team collaborated with authorities and experts to address the breach.

Dropbox has recently disclosed a major security breach that has affected its electronic signature service, Dropbox Sign (previously known as HelloSign). This breach, which was detected on April 24, involves unauthorized access to the production environment of Dropbox Sign, leading to the exposure of sensitive customer information.

The breach was swiftly identified by Dropbox’s security team on the same day it occurred. An in-depth investigation into the incident revealed that a threat actor had gained unauthorized access to the Dropbox Sign production environment by compromising a service account within the backend infrastructure.

In response to this breach, Dropbox has taken immediate and comprehensive action to mitigate potential risks for its users. These actions include initiating password resets for affected users, logging them out from all connected devices as a precautionary measure, and rotating all API keys and OAuth tokens associated with Dropbox Sign.

While the breach has impacted users of Dropbox Sign by exposing their names, email addresses, and other sensitive information, Dropbox has emphasized that there is no evidence of unauthorized access to the actual contents of user accounts, such as documents or agreements. Additionally, no payment information has been compromised.

Dropbox has actively reached out to affected users, providing them with detailed instructions on how they can further enhance their data security. For users who signed up for Dropbox Sign or HelloSign through external services like Google, Dropbox clarified that passwords were not stored or exposed, as no direct password setup occurred with Dropbox.

In light of this incident, Dropbox has reiterated its unwavering commitment to user security. The company has highlighted the extensive measures taken to address the breach and continues to collaborate closely with law enforcement agencies and cybersecurity experts to prevent similar breaches in the future. Dropbox is also actively reinforcing its security infrastructure to enhance protection against potential threats.

Users are strongly advised to follow Dropbox’s guidance and remain vigilant by monitoring their accounts for any suspicious activity. By working together, Dropbox and its users aim to uphold a strong security posture and safeguard user data against unauthorized access.