Threat Actor: Unknown | Unknown
Victim: Dropbox | Dropbox
Price: N/A
Exfiltrated Data Type: Email addresses, usernames, phone numbers, hashed passwords, API keys, OAuth tokens, authentication information
Additional Information:
- The security breach occurred within Dropbox Sign (formerly HelloSign) service.
- The breach exposed customer data including email addresses, usernames, phone numbers, and hashed passwords.
- API keys, OAuth tokens, and authentication information may also have been compromised.
- Names and email addresses of users who interacted with Dropbox Sign without creating an account were also compromised.
- The breach did not affect the contents of customer documents or agreements, nor any payment information.
- The breach was confined to the Dropbox Sign infrastructure and did not impact other Dropbox products.
- Dropbox reset passwords for all affected accounts to prevent further unauthorized access.
- Users were logged out of any devices connected to Dropbox Sign to safeguard against residual risks.
- All API keys and OAuth tokens were rotated to secure the integrity of further interactions with Dropbox Sign.
- Dropbox notified data protection regulators and law enforcement agencies to comply with legal obligations and seek assistance in addressing the breach.
- Impacted users are urged to follow provided instructions to secure their accounts, including enabling multi-factor authentication and being vigilant for any suspicious activity.
Dropbox confirmed a security breach on April 24th within its Dropbox Sign (formerly HelloSign) service, exposing customer data including email addresses, usernames, phone numbers, and hashed passwords. API keys, OAuth tokens, and authentication information may also have been compromised.
The breach allowed a threat actor to access an array of personal information belonging to Dropbox Sign users. This included emails, usernames, phone numbers, and hashed passwords, as well as general account settings and authentication data such as API keys, OAuth tokens, and multi-factor authentication details. Notably, for users who interacted with Dropbox Sign without creating an account, names and email addresses were also compromised. Importantly, the breach did not affect the contents of customer documents or agreements, nor any payment information.
Investigations confirmed that the breach was confined to the Dropbox Sign infrastructure and did not impact other Dropbox products. Dropbox Sign operates on a largely separate infrastructure from other Dropbox services, which helped contain the breach to one area.
Upon discovering the breach, Dropbox acted swiftly to secure its systems and mitigate any potential damage:
- Password Resets: Dropbox reset passwords for all affected accounts to prevent further unauthorized access.
- Device Logouts: Users were logged out of any devices connected to Dropbox Sign to safeguard against any residual risks.
- API and OAuth Token Rotation: Coordinating the rotation of all API keys and OAuth tokens to secure the integrity of further interactions with Dropbox Sign.
Dropbox also notified data protection regulators and law enforcement agencies to comply with legal obligations and seek assistance in addressing the breach.
Dropbox is urging all impacted users to follow the provided instructions to secure their accounts, including enabling multi-factor authentication and being vigilant for any suspicious activity related to their accounts.
Original Source: https://securityonline.info/dropbox-sign-data-breach-what-you-need-to-know-and-how-to-protect-yourself/