Dropbox Hacked: eSignature Service Breached | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker

The company apologized as user details leaked from its “Dropbox Sign” product.

Dropbox Sign was hacked by scrotes unknown, the cloud company confirmed. It uncovered the breach a week ago, but we still don’t know when the actual hack happened.

Separate from its core cloud storage service, Dropbox Sign is an electronic signature platform, in the mold of Docusign or Adobe Sign (née EchoSign). Dropbox Sign was formerly known as HelloSign before its acquisition in 2019.

Worryingly, API keys and MFA secrets were among the stolen data. In today’s SB Blogwatch, we rush to rotate and regenerate.

Your humble blog­watcher curated these bloggy bits for your enter­tain­ment. Not to mention: Taylor mashography.

Drop Dropbox?

What’s the craic? The WSJ’s Ben Glickman reports: Dropbox Reports Cyberattack

Electronic signatures
The incident, initially detected April 24, … resulted in a threat actor accessing phone numbers, hashed passwords and certain authentication information for a subset of users [and] data related to all users of Dropbox Sign, such as emails and usernames. … The company is investigating the incident and has notified law enforcement, regulatory authorities and users.

Dropbox Sign software allows users to make electronic signatures in online documents. … Dropbox said there was no evidence the actor had accessed the material in users’ accounts.

What next? Dropbox’s anonymous PR flacks take the flack: A recent security incident

We’re deeply sorry
We’re … conducting an extensive review of this incident to better understand how this happened, and to protect against this kind of threat in the future. … Our investigation is still ongoing, and we’ll provide additional updates as we have them.

We hold ourselves to a high standard when protecting our customers and their content. We didn’t live up to that standard here, and we’re deeply sorry.

Shame it happened, but this is a decent set of responses. You can almost hear bilekas’s jaw hit the floor:

This might be the first time a large company has actually apologised and admitted some fault. Colour me shocked.

On the other hand, u/HonestTea-BestPolicy does not forgive:

Those stupid mother*******. When will this saga of incompetent companies end?

Dropbox is keen to point out the breach only affected its Sign product. But that doesn’t placate perkele:

If Dropbox focussed on doing its core mission well, without jacking up prices and adding in **** many don’t want, it might still be a not bad thing. But en****tification of all sorts must continue.

That’s progress for you. Big Hairy Gorilla sounds slightly sarcastic:

Let’s add more and more every year or two. And also, make sure to mix up the terminology from the parts bolted on.

Or perhaps you can get good value out of a subset of features. … But it’s not really designed, as much as thrown together.

The more we find out, the less we know. tyrelb has more questions than answers:

I use Dropbox Sign API, so a little fearful our private data was accessed. … It’s unclear from the press release.

April 24th they became aware of issue, reporting it over a week later. I’d also be curious on how long this problem went on before being detected.

Meanwhile, let’s remember there’s “no evidence that the attacker accessed the contents of users’ accounts.” To which Pascal Monett asks the obvious question:

Well, if the attackers got hold of the OAuth tokens and MFA passwords, how would you know?

And Finally:

All 59 in 299 seconds

Previously in And Finally

You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites—so you don’t have to. Hate mail may be directed to @RiCHi, @richij, @[email protected], or [email protected]. Ask your doctor before reading. Your mileage may vary. Past per­formance is no guar­antee of future results. Do not stare into laser with re­maining eye. E&OE. 30.

Image source: Kelly Sikkem (via Unsplash

Recent Articles By Author


Click Here For The Original Story From This Source.


National Cyber Security