Dropbox has revealed a major attack on its systems that saw customers' personal information accessed by unknown and unauthorized entities.

The attack, detailed in a regulatory filing, impacted Dropbox Sign - a service it bills as an "eSignature solution [that] lets you send, sign, and store important documents in one seamless workflow, without ever leaving Dropbox." So basically a DocuSign clone.

The filing states that management became aware of the incident last week - on April 24 - and "immediately activated our cyber security incident response process to investigate, contain, and remediate the incident."

That effort led to the discovery that "the threat actor had accessed data related to all users of Dropbox Sign, such as emails and usernames, in addition to general account settings."

It gets worse: "For subsets of users, the threat actor also accessed phone numbers, hashed passwords, and certain authentication information such as API keys, OAuth tokens, and multi-factor authentication," the filing states.

And worse still: a blog post about the incident reveals that third parties "who received or signed a document through Dropbox Sign, but never created an account" also had email addresses and names exposed.

Thankfully, Dropbox has found no evidence that the attacker "accessed the contents of users' accounts, such as their agreements or templates, or their payment information." That's good news - Dropbox Sign could conceivably be used to handle contracts that detail commercial secrets.

Another nugget of positivity is that Dropbox hasn't seen evidence that its other products have been impacted. That may be because, as detailed in the blog post, "Dropbox Sign's infrastructure is largely separate from other Dropbox services."

That's likely a happy accident, given that Dropbox Sign is derived from a startup called HelloSign that Dropbox acquired in 2019. And it's not really brilliant news, as it suggests Dropbox has different stacks for its diverse products - the sort of sprawling IT estate that increases complexity and makes management harder.

The filing advises investors that the incident hasn't made a dent in Dropbox's finances, and the biz doesn't think it will have material impact.

How the attacker dropped in

Dropbox's blog post explains that its investigation led it to believe that a third party gained access to "a Dropbox Sign automated system configuration tool."

The attacker compromised a "service account" used by non-humans to execute applications and run automated services. The account "had privileges to take a variety of actions within Sign's production environment."

Dropbox's infosec folk have since reset users' passwords, logged users out of any devices they had connected to Dropbox Sign, and worked to rotate all API keys and OAuth tokens.

Dropbox's blog post indicates that its investigation is ongoing, and that impacted customers should expect to hear from it within a week.

Neither the post nor the filing, however, mention any offer of free identity and fraud protection services in the wake of the incident, as is common after data breaches. ®

https://www.theregister.com//2024/05/02/dropbox_sign_attack/