Cybersecurity

Dropbox Warns Hacker Accessed Customer Passwords And MFA Data


Dropbox has confirmed that a hacker has accessed customer information including emails and usernames, phone numbers and hashed passwords, OAuth tokens and multi-factor authentication information. Here’s what is known so far.

Hacker Gains Access To Dropbox Sign Production Environment

Dropbox has issued a statement confirming that it became aware of unauthorized access to the production environment of the Dropbox Sign platform on April 24. That statement confirms that customer information was accessed, but says that it is believed the breach only impacted the Dropbox Sign infrastructure and no other Dropbox platforms or products. “We’re in the process of reaching out to all users impacted by this incident who need to take action, with step-by-step instructions on how to further protect their data,” Dropbox said.

ForbesGmail And YouTube Hackers Bypass Google’s 2FA Account Security

The ongoing investigation has confirmed that the attacker gained access to an automated system configuration tool used by Dropbox Sign and compromised a service account used to execute applications and automated services. Dropbox described the account as non-human, but it came with high privileges, which enabled the hacker to access both the production environment and the customer database. Meanwhile, the Dropbox security team has taken precautionary measures, such as resetting users’ passwords and logging them out of any devices that had been connected to Dropbox Sign. “The next time you log in to your Sign account, you’ll be sent an email to reset your password,” Dropbox said, “we recommend you do this as soon as possible.”

No Evidence Of Access To Documents Or Agreements

Dropbox has stated that, at this stage of the investigation, it has found no evidence that the attackers accessed documents, agreements or other content in users’ accounts. However, the company has said that anyone who didn’t actually create a Dropbox Sign (or HelloSign as it used to be called) account but did receive or sign a document using the service had email addresses and names exposed. “We’re in the process of reaching out to all impacted users who need to take action, and we expect all notifications to be complete within a week,” Dropbox said.

API Customers Must Rotate Keys Now

Dropbox Sign application programming interface customers have been warned to rotate their API key, generate a new one in other words, and delete the existing one. Dropbox said that it is restricting functionality to API users during this process, but signature requests and signing capabilities will continue to be operational. “Once you rotate your API keys, restrictions will be removed and the product will continue to function as normal,” Dropbox has confirmed.

ForbesMicrosoft Warns Windows Users Of Ongoing Russian Hack Attack

Breach Through Acquisition?

“This looks like a classic case of breach through acquisition,” Andy Kays, CEO of Socura, said. “The most common scenarios are that the acquired company has vulnerabilities, limited security capabilities, or compatibility issues as products, technologies, services and teams are integrated.” Whatever the root cause of the unauthorized access, an attacker managed to get access to a service handling sensitive documents and that means there’s a whole heap of abuse that could follow. The Dropbox Sign breach “offers tremendous scope for abuse, identity theft, fraud, and business email compromise,” Socura warns, concluding, “Dropbox users must act as though an attacker has their signature and the ability to sign legal documents in their name. They should change their passwords and enable MFA immediately.”



Source

Related Articles

Back to top button