(Credit: T. Schneider/Shutterstock.com)
An unknown cyberattacker has infiltrated the Dropbox Sign e-signature platform in a breach that puts users' information at risk.
"A third party gained access to a Dropbox Sign automated system configuration tool," Dropbox said in a blog post this week. "The actor compromised a service account that was part of Sign’s back-end, which is a type of non-human account used to execute applications and run automated services. As such, this account had privileges to take a variety of actions within Sign’s production environment."
The attacker accessed Dropbox Sign's customer database containing user email addresses, phone numbers, and hashed passwords. The database also has information about user account settings, API keys, and authentication tokens. The names and email addresses of anyone who has ever received or added a signature to a Dropbox Sign document, even if they don't have a Sign account, were exposed in the breach.
Dropbox claims that no user documents, agreements, or customer payment info have been exposed, and those with regular Dropbox accounts that have never used Sign aren't impacted by the breach.
Dropbox has already taken steps to reset all Sign users' passwords and logged them out of all their sessions and devices. The company is also working to change the compromised API keys and OAuth tokens, according to the post.
Dropbox Sign users with authenticator apps are being advised to reset their Sign authentication by removing the connection on their app, and then adding it again. Those with SMS authentication don't need to reset or change it, according to the company. But the exposed names, phone numbers, and email addresses could result in future SIM-swap attack attempts.
Dropbox says it plans to notify everyone exposed by the breach "within a week."