Hand holding unlocked padlock on keyboard showing security breach of eSignature platform

Dropbox Sign eSignature Platform’s Security Breach Impacts All Users, Even Those Without Accounts

Popular cloud storage provider Dropbox has suffered a significant security breach impacting all users of its eSignature platform Dropbox Sign (formerly HelloSign).

Dropbox entered the eSignature market in 2019 after acquiring HelloSign, which had 80,000 customers, for $230 million. In 2023, the company reported $2.5 billion in revenue.

According to an 8-K filing with the U.S. Securities and Exchange Commission (SEC), Dropbox detected “unauthorized access” on April 24, 2024.

The San Francisco, California-based company responded by activating its incident response to contain and mitigate the incident and launching an investigation to determine its scope. It also reset users’ passwords, logged out connected devices, and began rotating all API keys and OAuth tokens.

According to its investigation, the cloud storage provider believes the threat actor compromised a Dropbox Sign automated system configuration tool and gained privileges to execute applications in the eSignature’s production environment.

“The actor compromised a service account that was part of Sign’s back-end, which is a type of non-human account used to execute applications and run automated services,” the company said in a data breach notification posted on its website.

The threat actor then used their access to compromise a Dropbox customer database and access personal information, including emails, usernames, phone numbers, and account settings.

Security breach impacts all Dropbox Sign eSignature users

Dropbox determined that the security breach impacted all its eSignature platform users, including those without an account.

“Upon further investigation, we discovered that the threat actor had accessed data related to all users of Dropbox Sign, such as emails and usernames, in addition to general account settings,” Dropbox told the SEC.

In some cases, the threat actor accessed “phone numbers, hashed passwords, and certain authentication information such as API keys, OAuth tokens, and multi-factor authentication.”

“This breach is especially significant since API keys and OAuth tokens were compromised,” said Ray Kelly, Fellow, Synopsys Software Integrity Group. “Often times, API keys are static and do not change so that organisations can automate their processes around their services. When these keys are compromised, a malicious actor can gain access to services that can be sensitive or cause monetary consequences for the victim.”

Dropbox disclosed that the eSignature platform’s security breach also exposed the names and email addresses of individuals “who received or signed a document through Dropbox Sign but never created an account.”

However, Dropbox’s investigation determined that the threat actor never “accessed the contents of users’ accounts, such as their agreements or templates, or their payment information.”

Businesses use eSignature platforms such as Dropbox Sign to send highly confidential documents such as agreements, contracts, and transactions. Exposing that information could severely affect their operations and expose them to various cyber risks.

“This breach of Dropbox Sign customer information and authentication information creates risk for users of that system,” said Jason Soroko, Senior Vice President of Product at Sectigo. “People who use e-signatures are typically trained to follow processes and, unfortunately, this can be an advantage for the attackers who now have their contact information.”

Nathaniel Jones, the Director of Strategic Threat and Engagement at Darktrace warned that the Dropbox Sign security breach could extend beyond the impacted users.

“The implications could extend further into corporate ecosystems: employees reuse passwords all the time for the many apps and tools they log into, so the compromised details may have opened entry points across other cloud services,” noted Jones.

Meanwhile, Dropbox has hired leading forensic experts to assist in understanding the scope of the eSignature platform’s security breach. It has also notified law enforcement and privacy regulatory authorities.

The company will also contact impacted eSignature users and provide “step-by-step instructions” to secure their information.

Other Dropbox services not impacted by security breach

Dropbox has not disclosed the number of users impacted by the eSignature security breach. In 2022, the company had 17.37 million paying customers, primarily small and mid-sized businesses, and 700 million registered users.

Nevertheless, the cloud storage services provider claims that the security breach was limited to the Dropbox Sign infrastructure, which is separate from other Dropbox services.

“Additionally, we believe this incident was limited to Dropbox Sign infrastructure and there is no evidence that the threat actor accessed the production environments of other Dropbox products. We are continuing our investigation,” said the company.

Subsequently, the incident would unlikely have any material impact on the company’s financial condition or the results of its operations. However, Dropbox anticipates “potential litigation, changes in customer behavior, and additional regulatory scrutiny.”

The cloud storage services provider also deeply regretted shattering its customers’ trust after failing to protect their information.

“We hold ourselves to a high standard when protecting our customers and their content. We didn’t live up to that standard here, and we’re deeply sorry for the impact it caused our customers,” the company apologized.

Twice in two years, Dropbox has become the victim of a cyber attack. In November 2022, the cloud storage provider leaked 130 GitHub source code repositories after it fell victim to a phishing attack.