DROPBOX, INC. Cybersecurity Incident
Updated by Keith Kirkland
High Level Summary of the Security Advisory
Dropbox Sign (formerly HelloSign) is a tool within Dropbox that allows documents to be electronically signed. With this tool, signatures can be requested from others or documents can be signed directly within Dropbox, eliminating the need for printing, scanning, or faxing. The process of document management is streamlined, making it easier and more efficient for both individuals and teams to handle paperwork. This feature is especially useful for businesses, contracts, agreements, and any document requiring signatures.
According to the SEC 8-K filing by Dropbox, Inc., on April 24, 2024, Dropbox became aware of unauthorized access to the Dropbox Sign production environment. A cybersecurity incident response process was immediately activated to investigate, contain, and remediate the incident. Upon further investigation, it was discovered that data related to all users of Dropbox Sign, such as emails and usernames, in addition to general account settings, had been accessed by the threat actor. For subsets of users, phone numbers, hashed passwords, and certain authentication information such as API keys, OAuth tokens, and multi-factor authentication were also accessed. Email addresses and names of those who received or signed a document through Dropbox Sign but never created an account were also exposed.
According to the official notification provided by Dropbox, the investigation revealed that a third party gained access to a Dropbox Sign automated system configuration tool. The actor compromised a service account that was part of Sign’s back-end, which is a type of non-human account used to execute applications and run automated services. As a result, this account had privileges to take various actions within Sign’s production environment. Subsequently, the threat actor used this access to the production environment to access their customer database.
As of the date of the SEC 8-K filing, there is no evidence that the contents of users’ accounts, such as their agreements or templates, or their payment information, were accessed by the threat actor. Additionally, it is believed that this incident was limited to the Dropbox Sign infrastructure, and there is no evidence that the threat actor accessed the production environments of other Dropbox products. The investigation is ongoing.
Dropbox, Inc. affirms that the law enforcement, regulatory authorities, and affected users have been notified about the unauthorized access to personal information. Moreover, it is not believed that the incident is reasonably likely to have a material impact on the overall business operations or financial condition. However, the firm remains subject to various risks, including potential litigation and regulatory scrutiny.
Should I be concerned?
Maybe. It depends on if you have a relationship with Dropbox, Inc. Click on the link below to find out if you have a relationship with this vendor. If you do, follow the recommendations below.
Note: this link specifically references vendor directory records. You may also want to search your RLP for “Dropbox” to confirm.
What to do if you or your vendors have active relationships with Dropbox
As per the notification provided by Dropbox, the firm is actively contacting all affected users to provide them with step-by-step instructions on how to further protect their data. Additionally, their security team has reset users’ passwords, logged them out of any devices connected to Dropbox Sign, and is coordinating the rotation of all API keys and OAuth tokens.
As part of the FAQ accompanying the official notification, Dropbox has recommended the following important steps to safeguard your account and personal information.
- If you are an API customer, it is important to ensure the security of your account by rotating your API key. This can be done by generating a new key, configuring it with your application, and deleting the current one. As an additional precaution, Dropbox will restrict certain API key functionalities while coordinating their rotation. Only signature requests and signing capabilities will remain operational for business continuity. Once API keys are rotated, restrictions will be lifted, and normal operation will resume. Click here to check how to create a new key.
- If an authenticator app is used for multi-factor authentication, please reset it by deleting the existing entry and then resetting it. If SMS is used, no action is required.
- Although this incident was isolated to Dropbox Sign infrastructure and did not impact any other Dropbox products, if you reused your Dropbox Sign password on any other services, it is strongly recommended changing your password on those accounts and enabling multi-factor authentication where available. Instructions on how to do this for your Dropbox Sign account can be found here.
---------------------------------------------------------------------------
We are actively working on future product enhancements related to these types of events. If you found this information helpful or have additional feedback, please let us know at product@visotrust.com.
For any additional questions, please reach out to your customer success manager.
The VISO TRUST team
—----------—----------—-----