Dropbox is one of the most popular cloud storage and collaboration tools. Unfortunately, hackers just stole a lot of user data from Dropbox Sign, and the company’s other services could potentially be affected.
Dropbox said in a Form 8-K filing became aware of unauthorized access to Dropbox Sign, the company’s service for sending and signing digital contracts, on April 24th, 2024. Dropbox discovered that the hacker had accessed emails and usernames of Dropbox Sign users, as well as “phone numbers, hashed passwords, and certain authentication information such as API keys, OAuth tokens, and multi-factor authentication” for a smaller subset of users.
Dropbox believes the attack was limited to Dropbox Sign, but the company stopped short of ruling it out completely. A blog post explained, “From a technical perspective, Dropbox Sign’s infrastructure is largely separate from other Dropbox services. That said, we thoroughly investigated this risk and believe that this incident was isolated to Dropbox Sign infrastructure, and did not impact any other Dropbox products.”
The attacker gained access through a service account that was part of Dropbox Sign’s back-end infrastructure, which had elevated permissions and access to the customer database. After the attack was discovered, Dropbox reset all affected passwords and logged out all users. The company has also started updating all API keys and OAuth tokens that were stolen in the attack.
Data breaches are a common occurrence, so it’s not too surprising that Dropbox was hit, but they don’t always go as far as phone numbers and multi-factor authentication. Over 15,000 Roku accounts were recently stolen, because they used the same passwords as other accounts stolen in other data breaches, which prompted Roku to turn on two-factor authentication for all its accounts. Comcast also had a significant data breach last year that affected up to 36 million customers.
Dropbox said in a blog post, “We’ve been working around the clock to mitigate risk to our customers, and we’re in the process of reaching out to all users impacted by this incident who need to take action, with step-by-step instructions on how to further protect their data.”
Source: SEC, Dropbox Blog via The Register
