Dropbox Breach Exposes Customer Credentials, Authentication Data

Online storage service Dropbox is warning customers of a data breach by a threat actor that accessed customer credentials and authentication data of one of its cloud-based services.

The breach occurred when an unauthorized user gained access to the Dropbox Sign (formerly HelloSign) production environment, something administrators became aware of on April 24, according to a blog post published on May 1. Dropbox Sign is an online service for signing and storing contracts, nondisclosure agreements, tax forms, and other documents using legally binding e-signatures.

Specifically, the actor gained access to a Dropbox Sign automated system configuration tool, compromising a service account used to execute apps and run automated services as part of Sign's back end.

"As such, this account had privileges to take a variety of actions within Sign's production environment," the Dropbox Sign team wrote in the blog post. "The threat actor then used this access to the production environment to access our customer database."

Customer Credentials Exposed

Data exposed in the breach includes Dropbox Sign customer information such as emails, usernames, phone numbers, and hashed passwords. Moreover, anyone who received or signed a document through Dropbox Sign but never created an account had their email addresses and names exposed in the breach.

The threat actor also accessed data from the service itself, such as Dropbox Sign's API keys, OAuth tokens, and multifactor authentication (MFA) details, according to the post. This is all data used by third-party partners to connect to the service and offer seamless integration from their respective online services, with OAuth in particular being weaponized by threat actors for cross-platform compromise. Thus, users of other services could indirectly be affected by the breach.

Dropbox found no evidence that threat actors accessed any of the contents of customer accounts, such as documents or agreements signed through the service, nor any customer payment information. Moreover, as Dropbox Sign's infrastructure is largely separate from other Dropbox services, the company found that none of its other entities were affected by the breach.

As soon as Dropbox discovered the breach, the company brought on forensic investigators to get to the bottom of it; that investigation is ongoing. Dropbox also is in the process of reaching out to all users impacted by the incident and will provide step-by-step instructions on how to further protect their data.

Mitigation Steps

As an initial mitigation of the effects of the breach, Dropbox's security team reset users' passwords, logged users out of any devices they had connected to Dropbox Sign, and is coordinating the rotation of all API keys and OAuth tokens for the service. From a user perspective, all Dropbox Sign users will be asked to reset their passwords the next time they log into the service, the company said.

API customers will need to rotate their API keys by generating a new one; instructions for doing this are online. That key will then have to be configured with their individual application, along with deleting the current API key to protect their accounts, according to Dropbox.

"As an additional precaution, we'll be restricting certain functionality of API keys while we coordinate rotation," according to the post. As a result, only signature requests and signing capabilities will continue to be operational until the API key is rotated; only then will the restrictions be removed and the product continue to function as normal.

For customers who use an authenticator app along with Dropbox Sign for MFA, they should reset it by first deleting their existing entry and only then proceed with the reset, the company said. Those who use SMS for MFA don't need to take action.

Further, if someone reused their Dropbox Sign password on any other services, Dropbox recommends that password be changed and MFA be used whenever available.

Dropbox will continue an "extensive review" of the incident to understand exactly what happened, and to protect its customers against similar threats in the future, the company said, adding its willingness to help any customer who was impacted by the breach.