Dropbox admits security breach
“On April 24th, we became aware of unauthorized access to the Dropbox Sign (formerly HelloSign) production environment,” a statement from the company read. “Upon further investigation, we discovered that a threat actor had accessed data including Dropbox Sign customer information such as e-mails, usernames, phone numbers and hashed passwords, in addition to general account settings and certain authentication information such as API keys, OAuth tokens, and multi-factor authentication.
Users who signed a document through Dropbox Sign without setting up a passwords – such as via Google – are not believed to be affected.
The statement continued: “When we became aware of this issue, we launched an investigation with industry-leading forensic investigators to understand what happened and mitigate risks to our users.
“Based on our investigation, a third party gained access to a Dropbox Sign automated system configuration tool. The actor compromised a service account that was part of Sign’s back-end, which is a type of non-human account used to execute applications and run automated services. As such, this account had privileges to take a variety of actions within Sign’s production environment. The threat actor then used this access to the production environment to access our customer database.
“In response, our security team reset users’ passwords, logged users out of any devices they had connected to Dropbox Sign, and is coordinating the rotation of all API keys and OAuth tokens. We reported this event to data protection regulators and law enforcement.”
At time of writing it is not known if the threat actor was connected to a group associated with any nation state.
TechCentral Reporters
Subscribers 0
Fans 0
Followers 0
Followers