Dropbox Hit by a Security Breach: Names, Passwords, API Keys Stolen
- Dropbox was hit by a major security breach on April 24. The matter is already under investigation and the authorities have been informed.
- No material effect on its operations or financial condition is expected. However, the investors might have to worry about how the users take this news.
- Users will be notified about the attack and their next course of action by next week.
Dropbox was hit by a major security breach where unauthorized users gained access to confidential information of its users. The attack was first noticed on April 24.
In a blog post, the company said it's deeply apologetic for the incident and assured the users that it's doing its best to minimize damage and prevent an attack like this from ever happening again.
In a regulatory filing, the company shared the details of the incident and said that the target of the attack was Dropbox Sign, an e-signature service that lets you send, sign, and store documents digitally.
The company quickly took action and activated its cyber security incident response process to investigate the cause, fix the issue, and prevent further damage. This includes:
- Resetting passwords
- Logging out the users
- Rotating their API keys and OAuth tokens.
Forensic investigators and other law enforcement authorities have also been informed about the issue.
As for the investors, the company has informed that the incident won't have any material" impact on its day-to-day operations or financial condition.
However, nothing can be said until we see how the users react to this news (they will be notified by next week). There might be lawsuits or a significant drop in customer trust which will definitely affect business.
What Was Stolen in the Attack?The data of every single Dropbox Sign user was compromised in the attack. For most, the stolen data included names, email addresses, and other details from general settings.
For a small group of users, it was worse, where the following information was also stolen:
- Phone numbers
- Login credentials
- Hashed passwords, and
- API keys
- Multi-factor authentication
- OAuth tokens
On that note, for customers with a compromised API key, a new one will be generated but certain functions will remain unavailable until the investigation is over.
Only signature requests and signing capabilities will continue to be operational for your business continuity. Once you rotate your API keys, restrictions will be removed and the product will continue to function as normal." - Dropbox
The worst part is that users who only received and signed a document through Dropbox Sign without ever creating an account on the platform also had their names and email addresses stolen.
The only silver lining here is that the content of the agreements, the templates used by the users, and their payment information were not uncovered.Another good news is that since Dropbox Sign's infrastructure is mostly separate from its other services, the attack was contained. So, if you are using a different Dropbox product, you've got nothing to worry about.
How Did the Hacker Break In?In its official blog, Dropbox explained that a third party somehow got access to the Dropbox Sign automated system configuration tool.
The hacker targeted a service account,'which is basically a type of non-human account used to run applications and automated services.Since this is a backend account used by the company to execute functions, it also comes with a lot of privileges and more access which the hacker exploited.
Dropbox has 700 million registered users worldwide. Exactly how many of these have been affected by the above-mentioned breach is still unknown.
The post Dropbox Hit by a Security Breach: Names, Passwords, API Keys Stolen appeared first on The Tech Report.