Dropbox shared the results of an investigation into a hack in its infrastructure. Company does not specify when the incident actually occurred, stating only that the attack was noticed by the company employees on April 24. We explain what happened, what data was leaked and how to protect yourself and your company from the consequences of the incident.

Dropbox Sign hack: how it happened and what data was stolen

Unidentified attackers managed to compromise the Dropbox Sign service account and thus gain access to the platform’s internal automatic configuration mechanism. Using this access, hackers were able to lay hands on a database that contained information about Dropbox Sign users.

As a result, the following data of registered users of the Sign service was stolen:

usernames;
email addresses;
phone numbers;
passwords (hashed);
authentication keys for the DropBox Sign API;
OAuth authentication tokens;
SMS and application two-factor authentication tokens.

If users of the service interacted with it without creating an account, then only their names and email addresses were leaked.

Dropbox claims that it found no signs of unauthorized access to the contents of user accounts, that is, documents and agreements, as well as payment information.

As a protective measure, Dropbox reset the passwords for all Dropbox Sign accounts and ended all active sessions, so you will have to log in to the service again and set a new password.

Does the Dropbox Sign hack affect all Dropbox users?

Dropbox Sign, formerly known as HelloSign, is Dropbox’s standalone cloud document workflow tool, primarily for signing electronic documents. The closest analogues of this service are DocuSign and Adobe Sign.

As the company emphasizes in its statement, Dropbox Sign’s infrastructure is “largely separate from other Dropbox services.” Judging by the results of  the company’s investigation, the Dropbox Sign hack was an isolated incident and did not affect other Dropbox products. Thus, according to the information we have now, it does not in any way threaten users of the company’s main service, the Dropbox cloud file storage itself. This is also true for those users whose Sign account was linked to their main Dropbox account.

What should you do about Dropbox Sign being hacked?

Dropbox has already reset passwords for all Dropbox Sign accounts. So you will have to change the password in any case. We recommend using a completely new password rather than a slightly modified version of the old one. Ideally, you should generate a long random combination of characters using password manager and store it there.

Since two-factor authentication tokens were also stolen, you should reset them as well. If you used SMS, the reset occurred automatically. And if you used an application, you will have to do it yourself. To do so, go through the process of registering your authenticator app with the Dropbox Sign service again.

The list of data stolen by hackers also includes authentication keys for the Dropbox Sign API. So if your company used this tool through the API, then you need to generate a new key.

Finally, if you’ve used the same password in any other services, you should change it as  quickly as possible. Especially if it was accompanied by the same username, email address, or phone number that you specified while registering for Dropbox Sign. Again, for this it is convenient to use the password manager, which, by the way, is part of our security solution for small businesses.

Kaspersky official blog – ​Read More