Dropbox this week admitted that hackers breached its Dropbox Sign product and accessed information including user’s emails, usernames, phone numbers and hashed passwords.
“On April 24th, we became aware of unauthorised access to the Dropbox Sign (formerly HelloSign) production environment,” it said in a blogpost on Dropbox Sign. It did not give specifics about how many people were affected by this breach.
The hacker reportedly gained access to general account settings and certain authentication information such as API keys, OAuth tokens, and multi-factor authentication.
For those who received or signed a document through Dropbox Sign, but never created an account, email addresses and names were also exposed in the breach.
It added that for those who created a Dropbox Sign or HelloSign account, but did not set up a password with the platform (e.g. “Sign up with Google”), no password was stored or exposed.
It says that investigations are ongoing, although it says that the incident was isolated to Dropbox Sign infrastructure, and it does not “believe” that it impacted any other Dropbox products.
Explaining the nature of the breach, Dropbox said that its preliminary investigations have revealed that a third party gained access to a Dropbox Sign automated system configuration tool. The actor compromised a service account that was part of Sign’s back-end, which is a type of non-human account used to execute applications and run automated services.
“As such, this account had privileges to take a variety of actions within Sign’s production environment. The threat actor then used this access to the production environment to access our customer database,” it said.
For Dropbox Sign products, the team has expired user password and logged them out of any devices they had connected to Dropbox Sign. An email to reset passwords has been sent to all Dropbox Sign users.
In Australia, the annual Cyber Threat Report 2022-2023 released in November last year found that the average cost of cybercrime per report rose by 14 per cent from 2021-22, to $71,600 for large businesses, A$97,200 for mid-size businesses and A$46,000 for small businesses.
The report noted that the Australian Signals Directorate’s cyber security centre received over 94,000 reports of cybercrime over the financial year, an increase of 23 per cent from 2021-22.
