Digital signature: Data leak from Dropbox Sign

Unknown attackers were able to access customer data from the digital signature service Dropbox Sign. Other Dropbox products are not believed to be affected.

Save to Pocket listen Print view

(Bild: Postmodern Studio/Shutterstock.com)

2 min. read
This article was originally published in German and has been automatically translated.

Unauthorized persons were able to gain access to the internal servers of Dropbox Sign (formerly HelloSign) and view customer email addresses and passwords, among other things.

Dropbox Sign can be used to digitally sign documents with legal effect. According to a blog post, Dropbox discovered the security incident on April 24, 2024. According to its own information, the signing service is isolated from other Dropbox products. Accordingly, the operators currently assume that no other Dropbox products are involved. As a result, data stored by customers in the Dropbox cloud should not be affected by the attack.

Those responsible state that API keys, email addresses, multi-factor information, names, OAuth tokens, passwords and telephone numbers of customers have been accessed. However, the passwords are not said to be unencrypted, but rather in hashed form. As a result, attackers should not be able to do anything with them without further ado. It is currently not known which hashing method was used. According to the current state of knowledge, there has been no access to payment data.

Users who do not have a Dropbox Sign account but have received signed documents from the service in the past are also said to have been affected.

Dropbox states that the attackers gained access to a configuration tool in an unspecified way and thus gained control over a service account. In this position, far-reaching system access was then possible. Those responsible state that they reset Dropbox sign passwords, among other things, for security reasons.

(des)