Dropbox announced today that its e-signature product, Dropbox Sign, formerly known as HelloSign, has been hacked, resulting in unauthorized access to customer data. In an SEC filing, the company wrote it discovered the breach on April 24 and launched an investigation.
The attackers apparently gained access to an automated system configuration tool within Dropbox Sign"s infrastructure. The compromised account had elevated privileges that allowed access to the customer database. While the full scope is still under investigation, Dropbox confirms that certain details such as emails and usernames were accessible for all Sign users.
For some customers, additional information was also at risk. This includes phone numbers, hashed passwords, and authentication tokens such as API keys and OAuth tokens. Sensitive data from third parties who received Sign accounts but did not create them was also exposed, including names and emails.
Dropbox wrote in a blog post;
On April 24th, we became aware of unauthorized access to the Dropbox Sign (formerly HelloSign) production environment. Upon further investigation, we discovered that a threat actor had accessed data including Dropbox Sign customer information such as emails, usernames, phone numbers and hashed passwords, in addition to general account settings and certain authentication information such as API keys, OAuth tokens, and multi-factor authentication.
Dropbox says that upon discovering the breach, security teams immediately reset passwords, logged off connected devices, and are rotating API keys and tokens to protect accounts. Law enforcement has been notified as the investigation continues.
Dropbox also stated that no evidence has been found that contract content, payment information, or other systems beyond Sign have been infiltrated.
The company is reaching out directly to affected users with steps they can take to protect themselves. However, it did not specify how many customers may have had their personal data stolen. The company also says the investigation is ongoing and it will provide additional updates.