Cloud storage and file sharing company Dropbox disclosed a security breach that resulted in an unauthorized access to sensitive information, including passwords and other authentication information.
Dropbox revealed that the breach targeted its production environment, specifically impacting Dropbox Sign, formerly known as HelloSign, a platform for digitally signing documents, in an 8-K filing with the U.S. Securities and Exchange Commission.
“The actor compromised a service account that was part of Sign’s back-end, which is a type of non-human account used to execute applications and run automated services. As such, this account had privileges to take a variety of actions within Sign’s production environment. The threat actor then used this access to the production environment to access our customer database.
The accessed information pertains to all Dropbox Sign users, encompassing account settings, names and emails. For some users, additional data such as phone numbers, hashed passwords and authentication information like API keys, OAuth tokens and multi-factor authentication were also compromised.
“From a technical perspective, Dropbox Sign’s infrastructure is largely separate from other Dropbox services. That said, we thoroughly investigated this risk and believe that this incident was isolated to Dropbox Sign infrastructure, and did not impact any other Dropbox products.”
While forensic investigators are engaged and law enforcement notified, regulatory agencies are being informed based on the presumption of personal information access.
Dropbox has initiated steps to mitigate the impact of the breach, including rotation of OAuth tokens and generating new API keys for customers with API access to Dropbox Sign. Certain functionalities will remain restricted until API keys are rotated, Dropbox said.
User notifications are underway, with Dropbox reaching out to affected users and providing guidance on necessary actions. The company expects all notifications to be completed within the next week.
Although Dropbox does not anticipate a significant impact on its operations or financial condition, it acknowledges potential risks, including litigation, changes in customer behavior and heightened regulatory scrutiny.
This Dropbox data breach incident marks another security challenge for the file sharing giant, following a phishing campaign in 2022 that targeted its developers, resulting in unauthorized access to company GitHub accounts and sensitive information.
Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.
