Dropbox Says eSignature Service Was Hacked, Authentication Data Accessed

The company says there’s ‘no evidence that the threat actor accessed the contents of users’ accounts’ in the breach of its Dropbox Sign service.

Dropbox disclosed that its eSignature service, Dropbox Sign, was compromised and authentication data such as hashed passwords, API keys and OAuth tokens for some users were accessed.

Certain customer information and data related to multifactor authentication was also accessed in the incident, Dropbox said in a filing with the U.S. Securities and Exchange Commission.

[Related: Analysis: Change Healthcare Attack Shows What Happens When Cybersecurity Is Ignored In M&A]

In the SEC filing, the company said there’s currently “no evidence that the threat actor accessed the contents of users’ accounts” in the breach of its Dropbox Sign service.

However, the breach potentially impacts “all users of Dropbox Sign,” the company said.

CRN has reached out to Dropbox for comment.

Dropbox Sign was formerly known as HelloSign, which the company acquired in early 2019.

The company reported that it “became aware of unauthorized access” to the Dropbox Sign production environment on April 24.

“Upon further investigation, we discovered that the threat actor had accessed data related to all users of Dropbox Sign, such as emails and usernames, in addition to general account settings,” Dropbox said in the SEC filing. “For subsets of users, the threat actor also accessed phone numbers, hashed passwords, and certain authentication information such as API keys, OAuth tokens, and multifactor authentication.”

Dropbox added that “based on what we know as of the date of this filing, there is no evidence that the threat actor accessed the contents of users’ accounts, such as their agreements or templates, or their payment information.”

There’s no question that the Dropbox Sign breach increases the risk for its users, said Jason Soroko, senior vice president of product at cybersecurity company Sectigo, in an email.

That includes both risk from the potential theft of authentication data as well as the possibility of being targeted for social engineering, Soroko said.