Cloud storage giant Dropbox has disclosed a significant breach in its systems, exposing customers’ data to unauthorized entities.
The incident, detailed in a new regulatory filing, primarily affected Dropbox Sign, a service akin to DocuSign, allowing users to manage documents online.
According to the document, management became aware of the breach on April 24 and promptly initiated cybersecurity measures.
The investigation revealed that the attackers accessed various user data, including emails, usernames, phone numbers, hashed passwords and authentication information like API keys and OAuth tokens.
“Authentication processes are put in place to prevent cyber criminals from accessing systems or accounts even when they have stolen credentials,” explained Stephen Robinson, senior threat intelligence analyst at WithSecure.
“However, the theft of authentication data such as tokens and certificates can allow these security processes to be completely bypassed.”
Additionally, as reported in a blog post published on Wednesday by Dropbox, even individuals who interacted with Dropbox Sign without creating an account had their information compromised.
The company said it found no evidence of access to the contents of users’ accounts or payment information. It appears that the attack was contained within the Dropbox Sign infrastructure, sparing other Dropbox products. This isolation underscores the complex nature of Dropbox’s IT environment, stemming from its acquisition of HelloSign in 2019.
The breach reportedly stemmed from a compromised service account within Dropbox Sign’s backend, allowing the attackers to access the customer database. In response, Dropbox has taken measures such as resetting passwords, logging out users from connected devices, and rotating API keys and OAuth tokens.
“Incidents such as this show how critical it is for large organizations to improve cyber-resilience,” Robinson added. “Cost-effective methods we advise all organizations to implement include regular risk assessments, rigorous patching schedules and fostering a strong cybersecurity culture supported by clear security policies.”
Despite the breach, Dropbox reassured investors that it hasn’t had a significant financial impact. Moving forward, the company plans to reach out to affected users with instructions on securing their data. The investigation is ongoing, with Dropbox promising further updates as they emerge.
Neither the regulatory filing nor the blog post mention provision of free identity protection services to affected users, commonly offered after data breaches.
Image credit: Dean Drobot / Shutterstock.com