Security Management, Vulnerability Management

Hackers Hit Dropbox’s Sign Tool for PII Data

A computer popup box screen warning of a system being hacked, compromised software environment.

Dropbox was recently hit by a cyberattack on its Sign tool, the company’s electronic signature instrument, previously known as HelloSign. The tool enables users to prepare, sign, send and track legally binding e-signatures remotely.

Dropbox said that an unauthorized threat actor had gained access to its production environment and pilfered personally identifiable information (PII), including email addresses, usernames, phone numbers, hashed passwords and data on general account settings and authentication information, such as API keys, OAuth tokens and multi-factor authentication.

The hack occurred fast on the heels of Dropbox’s Q1 2024 financial results, in which the company reported in an 8-K filing, dated May 9, 2024, a 3.3% year-over-year uptick in revenue to $631 million and a 91% rise in net income to $132 million.

In a separate 8-K filing dated April 29, Dropbox said the cyber incident has not had a material impact on the company’s overall business operations given its "current understanding" of the event. In compliance with Securities and Exchange Commission (SEC) reporting of material cyber incidents, the company said it had notified regulatory authorities and users.

“We have not determined that the incident is reasonably likely to materially impact our financial condition or results of operations. We remain subject to various risks due to the incident, including potential litigation, changes in customer behavior, and additional regulatory scrutiny. Our remediation efforts are ongoing,” Dropbox said in the filing.

Extent of Hack Explained

Those Sign customers that never created an account but received and signed a Sign document also saw their email addresses and names exposed. However, users who created either a Dropbox or HelloSign account but did not set up a password were not victimized by the hack.

Dropbox said that so far it has not found any “evidence of unauthorized access to the contents of customers’ accounts,” such as their documents, agreements or payment information.

The Sign infrastructure is “largely separate” from other Dropbox services, the company said. Based on a “thorough” investigation, it believes that the hack was isolated to the Sign environment and did not impact other services.

The company has determined that the hacker gained access to an automated system configuration tool.

“A third party gained access to a Dropbox Sign automated system configuration tool,” Dropbox said. “The actor compromised a service account that was part of Sign’s back-end, which is a type of non-human account used to execute applications and run automated services.”

The account had privileges to take a “variety of actions within Sign’s production environment. The threat actor then used this access to the production environment to access our customer database,” the company said.

Dropbox Resets Passwords

In an incident response to the breach, Dropbox said it reset users’ passwords, logged users out of any devices they had connected to Sign, and is coordinating the rotation of all API keys and OAuth tokens.

Dropbox is also asking customers who reused their Sign password on other services to change it on those accounts and deploy MFA.

The company said its investigation is ongoing and it will provide updates as needed.

Dropbox entered the eSignature market in 2019 after acquiring HelloSign, which had 80,000 customers, for $230 million.

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.