Thursday, May 2, 2024

 

DIGITAL LIFE


Dropbox logo on smartphone atop a keyboard

Dropbox Warns Hacker Accessed Customer Passwords And 2FA Data

Dropbox has confirmed that a hacker has accessed customer information including emails and usernames, phone numbers and hashed passwords, OAuth tokens and multi-factor authentication information. Here’s what is known so far.

Dropbox has issued a statement confirming that it became aware of unauthorized access to the production environment of the Dropbox Sign platform on April 24. That statement confirms that customer information was accessed, but says that it is believed the breach only impacted the Dropbox Sign infrastructure and no other Dropbox platforms or products. “We’re in the process of reaching out to all users impacted by this incident who need to take action, with step-by-step instructions on how to further protect their data,” Dropbox said.

The ongoing investigation has confirmed that the attacker gained access to an automated system configuration tool used by Dropbox Sign and compromised a service account used to execute applications and automated services. Dropbox described the account as non-human, but it came with high privileges, which enabled the hacker to access both the production environment and the customer database. Meanwhile, the Dropbox security team has taken precautionary measures, such as resetting users’ passwords and logging them out of any devices that had been connected to Dropbox Sign. “The next time you log in to your Sign account, you’ll be sent an email to reset your password,” Dropbox said, “we recommend you do this as soon as possible.”

No Evidence Of Access To Documents Or Agreements...Dropbox has stated that, at this stage of the investigation, it has found no evidence that the attackers accessed documents, agreements or other content in users’ accounts. However, the company has said that anyone who didn’t actually create a Dropbox Sign (or HelloSign as it used to be called) account but did receive or sign a document using the service had email addresses and names exposed. “We’re in the process of reaching out to all impacted users who need to take action, and we expect all notifications to be complete within a week,” Dropbox said.

API Customers Must Rotate Keys Now...Dropbox Sign application programming interface customers have been warned to rotate their API key, generate a new one in other words, and delete the existing one. Dropbox said that it is restricting functionality to API users during this process, but signature requests and signing capabilities will continue to be operational. “Once you rotate your API keys, restrictions will be removed and the product will continue to function as normal,” Dropbox has confirmed.

Breach Through Acquisition?...“This looks like a classic case of breach through acquisition,” Andy Kays, CEO of Socura, said. “The most common scenarios are that the acquired company has vulnerabilities, limited security capabilities, or compatibility issues as products, technologies, services and teams are integrated.” Whatever the root cause of the unauthorized access, an attacker managed to get access to a service handling sensitive documents and that means there’s a whole heap of abuse that could follow. The Dropbox Sign breach “offers tremendous scope for abuse, identity theft, fraud, and business email compromise,” Socura warns, concluding, “Dropbox users must act as though an attacker has their signature and the ability to sign legal documents in their name. They should change their passwords and enable MFA immediately.”

Theft Of Dropbox Authentication Data Increases Phishing Risk...Stephen Robinson, a senior threat intelligence analyst at WithSecure, said that although the theft of customer information is a worry, it’s the theft of authentication data that is more concerning. “Authentication processes are put in place to prevent cyber criminals from accessing systems or accounts even when they have stolen credentials,” Robinson said, “however, the theft of authentication data such as tokens and certificates can allow these security processes to be completely bypassed.” Robinson advised that all Dropbox users should be alert for potential phishing emails or other unsolicited communication. “With the type of data stolen, a cyber attacker could craft extremely plausible, targeted phishing emails, texts, and phone calls,” Robinson concluded.

Reporter: Davey Winder

No comments:

Post a Comment

  TECH Xbox early Black Friday deals offer massive game discounts for PC and Xbox Microsoft is kicking off Black Friday early, with discount...