Dropbox warns about a Dropbox Sign breach

Dropbox has shared the results of an investigation into a hack of its infrastructure. The company doesn’t specify when the incident actually occurred, stating only that the attack was noticed by company employees on April 24. Here, we explain what happened, what data was leaked, and how to protect yourself and your company from the consequences of the incident.

Dropbox Sign hack: how it happened and what data was stolen

Unidentified attackers have managed to compromise the Dropbox Sign service account, and thus gain access to the platform’s internal automatic configuration mechanism. Using this access, hackers were able to lay their hands on a database that contains information about Dropbox Sign users.

As a result, the following data of registered users of the Sign service was stolen:

• usernames;
• email addresses;
• phone numbers;
• passwords (hashed);
• authentication keys for the DropBox Sign API;
• OAuth authentication tokens;
• SMS and application two-factor authentication tokens.

If users of the service have interacted with it without creating an account, only their names and email addresses have been leaked.

Dropbox claims that it found no signs of unauthorized access to the contents of user accounts, that is – documents and agreements, as well as payment information.

As a protective measure, Dropbox reset the passwords for all Dropbox Sign accounts and ended all active sessions, so you’ll have to log in to the service again and set a new password.

Does the Dropbox Sign hack affect all Dropbox users?

Dropbox Sign, formerly known as HelloSign, is Dropbox’s standalone cloud document workflow tool, used primarily for signing electronic documents. The closest analogues of this service are DocuSign and Adobe Sign.

As the company emphasizes in its statement, Dropbox Sign’s infrastructure is “largely separate from other Dropbox services”. Judging by the results of the company’s investigation, the Dropbox Sign hack was an isolated incident and did not affect other Dropbox products. Thus, according to the information we have now, it doesn’t in any way threaten users of the company’s main service, Dropbox cloud file storage itself. This is also true for those users whose Sign account was linked to their main Dropbox account.

What should you do about Dropbox Sign being hacked?

Dropbox has already reset passwords for all Dropbox Sign accounts. So you will have to change the password in any case. We recommend using a completely new password rather than a slightly modified version of the old one. Ideally, you should generate a long random combination of characters using password manager and store it there.

Since two-factor authentication tokens were also stolen, you should reset them as well. If you used SMS, the reset occurred automatically. And if you used an application, you will have to do it yourself. To do so, go through the process of registering your authenticator app with the Dropbox Sign service again.

The list of data stolen by hackers also includes authentication keys for the Dropbox Sign API. So if your company used this tool through the API, you need to generate a new key.

Finally, if you’ve used the same password in any other services, you should change it as  quickly as possible – especially if it was accompanied by the same username, email address, or phone number that you specified while registering for Dropbox Sign. Again, for this it is convenient to use our Password Manager, which, by the way, is part of our security solution for small businesses.