Dropbox Sign was hacked by scrotes unknown, the cloud company confirmed. It uncovered the breach a week ago, but we still don’t know when the actual hack happened.
Separate from its core cloud storage service, Dropbox Sign is an electronic signature platform, in the mold of Docusign or Adobe Sign (née EchoSign). Dropbox Sign was formerly known as HelloSign before its acquisition in 2019.
Worryingly, API keys and MFA secrets were among the stolen data. In today’s SB Blogwatch, we rush to rotate and regenerate.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Taylor mashography.
What’s the craic? The WSJ’s Ben Glickman reports: Dropbox Reports Cyberattack
“Electronic signatures”
The incident, initially detected April 24, … resulted in a threat actor accessing phone numbers, hashed passwords and certain authentication information for a subset of users [and] data related to all users of Dropbox Sign, such as emails and usernames. … The company is investigating the incident and has notified law enforcement, regulatory authorities and users.
…
Dropbox Sign software allows users to make electronic signatures in online documents. … Dropbox said there was no evidence the actor had accessed the material in users’ accounts.
Got any advice for victims? BleepingComputer’s Lawrence Abrams does: Dropbox says hackers stole customer data
“Potential phishing”
Cloud storage firm DropBox … determined that the threat actors gained access to a DropBox Sign automated system configuration tool, … part of the platform’s backend services. This configuration tool enabled the threat actor to execute applications and automated services with elevated privileges.
…
DropBox says that it reset all users’ passwords, logged out all sessions … and restricted how API keys can be used until they are rotated by the customer. The company has provided additional information in the security advisory on how to rotate API keys. … Those who utilize MFA … should delete the configuration from their authenticator apps and reconfigure it with a new MFA key.
…
Be on the lookout for potential phishing campaigns. … If you receive an email “from DropBox” … asking you to reset your password, do not follow any links in the email.
What next? Dropbox’s anonymous PR flacks take the flack: A recent security incident
“We’re deeply sorry”
We’re … conducting an extensive review of this incident to better understand how this happened, and to protect against this kind of threat in the future. … Our investigation is still ongoing, and we’ll provide additional updates as we have them.
…
We hold ourselves to a high standard when protecting our customers and their content. We didn’t live up to that standard here, and we’re deeply sorry.
Shame it happened, but this is a decent set of responses. You can almost hear bilekas’s jaw hit the floor:
This might be the first time a large company has actually apologised and admitted some fault. Colour me shocked.
On the other hand, u/HonestTea-BestPolicy does not forgive:
Those stupid mother*******. When will this saga of incompetent companies end?
Dropbox is keen to point out the breach only affected its Sign product. But that doesn’t placate perkele:
If Dropbox focussed on doing its core mission well, without jacking up prices and adding in **** many don’t want, it might still be a not bad thing. But en****tification of all sorts must continue.
That’s progress for you. Big Hairy Gorilla sounds slightly sarcastic:
Let’s add more and more every year or two. And also, make sure to mix up the terminology from the parts bolted on.
…
Or perhaps you can get good value out of a subset of features. … But it’s not really designed, as much as thrown together.
The more we find out, the less we know. tyrelb has more questions than answers:
I use Dropbox Sign API, so a little fearful our private data was accessed. … It’s unclear from the press release.
…
April 24th they became aware of issue, reporting it over a week later. I’d also be curious on how long this problem went on before being detected.
Meanwhile, let’s remember there’s “no evidence that the attacker accessed the contents of users’ accounts.” To which Pascal Monett asks the obvious question:
Well, if the attackers got hold of the OAuth tokens and MFA passwords, how would you know?
You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites—so you don’t have to. Hate mail may be directed to @RiCHi, @richij, @[email protected], @richi.bsky.social or [email protected]. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.
Image source: Kelly Sikkem (via Unsplash
Recent Articles By Author