Threat actors hacked the Dropbox Sign production environment

Pierluigi Paganini May 02, 2024

Threat actors breached the Dropbox Sign production environment and accessed customer email addresses and hashed passwords

Cloud storage provider DropBox revealed that threat actors have breached the production infrastructure of the DropBox Sign eSignature service and gained access to customer information and authentication data.

Dropbox Sign is a service that allows users to electronically sign and request signatures on documents. It integrates with Dropbox storage, so users can sign and store documents in one place without ever leaving the Dropbox platform.

The company detected unauthorized access to the Dropbox Sign production environment on April 24th and immediately launched an internal investigation. Investigations revealed that a threat actor gained access to data, including customer information like emails, usernames, phone numbers, and hashed passwords. Additionally, certain account settings and authentication information such as API keys, OAuth tokens, and multi-factor authentication details were compromised.

“On April 24th, we became aware of unauthorized access to the Dropbox Sign (formerly HelloSign) production environment. Upon further investigation, we discovered that a threat actor had accessed data including Dropbox Sign customer information such as emails, usernames, phone numbers and hashed passwords, in addition to general account settings and certain authentication information such as API keys, OAuth tokens, and multi-factor authentication.” reads the advisory published by the company.

The company reported this incident to data protection regulators and law enforcement.

The attackers compromised a service account within Sign’s back-end, which is a non-human account utilized for executing applications and automated services. This compromised account had privileges to perform various actions within Sign’s production environment. Then the threat actor used this access to access the customer database.

The company noted that users who utilized the eSignature platform without registering an account also had their email addresses and names exposed. The company added that the attackers did not access users’ documents or agreements and did not compromise other DropBox services.

In response to the security breach, the company’s security team reset users’ passwords, logged users out of any devices they had connected to Dropbox Sign, and is rotating all API keys and OAuth tokens.

“If you’re an API customer, to ensure the security of your account, you’ll need to rotate your API key by generating a new one, configuring it with your application, and deleting your current one. As an additional precaution, we’ll be restricting certain functionality of API keys while we coordinate rotation. Only signature requests and signing capabilities will continue to be operational for your business continuity. Once you rotate your API keys, restrictions will be removed and the product will continue to function as normal. Here is how you can easily create a new key.” continues the advisory. “Customers who use an authenticator app for multi-factor authentication should reset it. Please delete your existing entry and then reset it. If you use SMS you do not need to take any action.”

The company urges customers to change their password on any other services where they used the same password as their Dropbox Sign account, and also recommends enabling multi-factor authentication wherever possible.

DropBox is notifying all impacted customers.

In November 2022, Dropbox announced that threat actors gained unauthorized access to 130 of its source code repositories on GitHub. According to the advisory published by Dropbox, the company was the target of a phishing campaign that resulted in access to the GitHub repositories. The investigation revealed that the code accessed by the attackers contained some credentials, primarily, API keys, used by the development team.

The company pointed out that no one’s content, passwords, or payment information were accessed, it also remarked that the issue was quickly resolved.

Dropbox uses CircleCI for select internal deployments, and in early October, a phishing campaign targeted multiple Dropboxers using messages impersonating CircleCI.

“While our systems automatically quarantined some of these emails, others landed in Dropboxers’ inboxes. These legitimate-looking emails directed employees to visit a fake CircleCI login page, enter their GitHub username and password, and then use their hardware authentication key to pass a One Time Password (OTP) to the malicious site.” reads the advisory published by the company. “This eventually succeeded, giving the threat actor access to one of our GitHub organizations where they proceeded to copy 130 of our code repositories.”

The repositories included internal copies of third-party libraries slightly modified for use by Dropbox, internal prototypes, and some tools and configuration files used by the security team of the file hosting service.

Exposed data included a few thousand names and email addresses belonging to Dropbox employees, current and past customers, sales leads, and vendors.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, CISA)

you might also like

leave a comment