This is the exact reason I started building Breach Canary[0], so that businesses can be alerted as soon as their user data is used in a way they wouldn't expect it to be. We produce authentic users with real working email addresses and phone numbers, so that as soon as they are contacted, you know someone has a copy of your userbase and is using it for reason x.
We have already started seeing a tonne of DocuSign phishing emails as others have mentioned. They were already a popular target for phishing users but now with very realistic documents the users are expecting? Nightmare.
Sounds like "Have I Been Pwned?"[0] which I have been using to identify which addresses were hacked/sold. Together with a unique email address per site registration, which all get captured by a catch-all on my domains, I have some information on which addresses are compromised.
To do something similar as an individual, I highly recommend 33mail.com [1], which provides a generous free tier, and lets you supply arbitrary <[email protected]>. As well as knowing where a leak originated, you can easily block any inbound email address if it is being abused.
Not affiliated, just a happy long-time paying customer.
I'm not sure DocuSign has a full handle on what happened here yet. I received six (6) DocuSign emails, half of which used a convincing subject derived from actual DocuSign documents I have signed or processed through the system. Perhaps a coincidence? Or these hackers gained access to more than just "email addresses".
At my work we too have received dozens of phishing emails purportedly from DocuSign. Most are getting caught but a few are making it to people's inbox. Which is terrible because a lot of my coworkers use DocuSign and think nothing of clicking on a link in one of these rather convincing emails.
I am skeptical as well. I feel like the standard procedure these days is for a company to acknowledge that their security has been compromised but that the breach was limited to only non-sensitive data.
In my opinion they're doing well taking responsibility like this and communicating honestly and openly. You can always disagree on how far the openness should go, but I've seen far less openness and far less communication (as in approaching zero), so they deserve some credit doing it this way.
I strictly started handing out "[email protected]" as email when interacting with companies. That at least makes routing the inevitable spam to the trash bin slightly easier when a breach occurs. It also provides an indicator of who has (in)voluntarily given away my data.
Looks like it took them about six days to figure out why their customers were getting spammed. It'd be helpful if they could outline what the "non-core system that allows us to communicate service-related announcements to users via email" actually was. Was this a Mailchimp account that got hacked into or did they have something they managed?
Emails and email addresses are very different in the context of DocuSign. The former includes the text of contracts. The latter is just a list of people who have ever given or received a job offer.
Emails from DocuSign do not contain the text of the contract. They contain a link to the contract and its text. I've signed a bunch of contracts via DocuSign and that's the consistent pattern I've observed.
> Ensure your anti-virus software is enabled and up to date
Uh, really, endorsing antivirus? They could at least have written something like "Ensure your system is properly secured" if they felt they need to stress that out.
Is it just me that feels this way, or should they not also apologize for the leak (which appears to have been from one of their systems)? I didn't see an actual apology.
It amazes me that Facebook allows you to get pgp encrypted emails delivered from them[1], but docusign, a company whose only job is secure document signing via secret links in an email, does not.
Been receiving fishing mails for this myself and I highly doubt this has just been about email addresses, as the mail subjects contained titles of signed documents.
Since there are now many occurrences of data breaches out there. I cannot stress enough the importance of a password manager and diversify-ing your passwords.
This one I learned from Troy Hunt and never looked back.
I did get an email from them which looked actually legit and opened it. It redirected me to a 404.
Is there a chance I could've been compromised in any way?
I'm guessing they couldn't have gotten much more than my IP address, maybe some cookies, all my passwords, private life?
It's good to see major security issues featured on HN. As a consumer, I typically react by resetting credentials, checking configurations etc. I'm not involved in the IT security field so HN serves is one of the early warning systems for me.
I would like to urge the Google team to solve one aspect of this problem, forever.
It takes no more than 20 minutes to prototype and then approximately 1 day to fully test the final solution that is necessary on their end to keep compromised emails from being fully compromised addresses forever, without any chance for you to ever know at any point in the future where mail REALLY comes from. Here is a description:
1 - Currently they (Google) correctly do 99% by allowing you to type a + after your email address to create a new inbox that is marked in a special way. For example if your address is [email protected] then you can give the company [email protected] when you sign up - that inbox goes to you and when you start receicing spam in the future to "jsmith747+docusign" you can tell how they got it. The phishing mails associated with this breach would have gone to the same place.
2. The one and only problem with this, which currently has a "security through obscurity" solution, is that anyone can run a regex and remove +docusign to get at the primary, main inbox: [email protected]
3. The full and complete solution is to allow me to create a new inbox in Gmail through a single step, for example "j45rsdfjdocusign" which is linked to jsmith747 in a single direction. Sending mail is not necessary. This must be enabled through the Gmail interface for signed-in users who wish to create a new inbox. They must be able to generate an inbox there, which thereafter goes to the inbox.
4. Spammers have no way to programmatically get the original underlying address when going through a list. When they get to j45rsdfjdocusign there is no regex they can apply to get the original.
5. If in the future j45rsdfjdocusign starts getting spammed, etc, you can add a filter.
There's no special authentication around it, anyone signed into their inbox should be able to do do it. They already have the infrastructure up for it around their + coding shceme.
To emphasize how important it is, here is a comment from this thread:
>The phishing emails had the color scheme changed, making them very phony and easy to classify.
Today. Under the current status quo, if in 48 months a much more legitimate-looking mail is sent to any of the same addresses, none of the recipients have any way to know the source of those addresses.
However, after solving this security issue, in 48 months anyone receiving even a very convincing phishing email could know instantly "oh, that is that compromised docusign account" -- that is, if they haven't taken a moment to redirect that inbox to the trash already via a filter.
I urge Google, who has very talented engineers, to implement the correct solution today. Don't wait. You won't get a better example of how important this is, than what's been going on. There are no policy implications as you already do it via the + trick.
I hope you go the extra mile and add a small step to finish solving the problem. Thank you.
> The full and complete solution is to allow me to create a new inbox in Gmail through a single step, for example "j45rsdfjdocusign" which is linked to jsmith747 in a single direction.
When hosting your own email on your own domain you get this benefit out of the box now, without waiting for google to add it for you.
I've been doing this for years, each different company gets a unique email address. Real easy to see who has lost track of their email database, and very easy to turn off those that turn spammy as their business declines and they get ever more desperate to generate sales from their existing "customer list"
There are indeed policy implications. Each such alias reduces the available namespace, where +-aliases do not. If I had to guess why Google doesn't implement this feature, I'd guess that's the reason - their namespace is already hotly contested enough.
(Of course, you can do this, quite easily, if you run your own mail domain. You need not administer an MTA - I gather you can wire up a domain you own to Google Apps or G Suite or whatever they're calling it this week.)
[+] [-] graystevens|8 years ago|reply
We have already started seeing a tonne of DocuSign phishing emails as others have mentioned. They were already a popular target for phishing users but now with very realistic documents the users are expecting? Nightmare.
[0] https://BreachCanary.com
[+] [-] glenneroo|8 years ago|reply
[0]https://haveibeenpwned.com
[+] [-] scoot|8 years ago|reply
Not affiliated, just a happy long-time paying customer.
[1] http://33mail.com/rj37w3
[+] [-] Kiro|8 years ago|reply
[+] [-] zachkatz|8 years ago|reply
[+] [-] timvdalen|8 years ago|reply
Looks cool though, I subscribed to the list.
[+] [-] 2T1Qka0rEiPr|8 years ago|reply
[+] [-] withinrafael|8 years ago|reply
[+] [-] secfirstmd|8 years ago|reply
Exact titles similar to this: "Accounting Invoice 630761 Document Ready for Signature"
[+] [-] smhenderson|8 years ago|reply
[+] [-] bogomipz|8 years ago|reply
[+] [-] unknown|8 years ago|reply
[deleted]
[+] [-] janwillemb|8 years ago|reply
[+] [-] KirinDave|8 years ago|reply
Also Thanks Me for just using docusign w/ our employees when I was in charge.
[+] [-] Xylakant|8 years ago|reply
[+] [-] a_imho|8 years ago|reply
How does clicking a link from an email prove identity? How does it work?
[+] [-] westoque|8 years ago|reply
Joking aside, this is an inevitable event and we just have to be cautious and ready when it does happen.
[+] [-] gogopuppygogo|8 years ago|reply
[+] [-] roemerb|8 years ago|reply
[+] [-] closeparen|8 years ago|reply
[+] [-] krallja|8 years ago|reply
[+] [-] runesoerensen|8 years ago|reply
[+] [-] cottsak|8 years ago|reply
[+] [-] posixplz|8 years ago|reply
[+] [-] annnnd|8 years ago|reply
Uh, really, endorsing antivirus? They could at least have written something like "Ensure your system is properly secured" if they felt they need to stress that out.
[+] [-] jrochkind1|8 years ago|reply
[+] [-] defined|8 years ago|reply
Is it just me that feels this way, or should they not also apologize for the leak (which appears to have been from one of their systems)? I didn't see an actual apology.
[+] [-] wjke2i9|8 years ago|reply
[1] https://www.facebook.com/notes/protect-the-graph/securing-em...
[+] [-] marenkay|8 years ago|reply
[+] [-] westoque|8 years ago|reply
This one I learned from Troy Hunt and never looked back.
https://www.troyhunt.com/only-secure-password-is-one-you-can...
[+] [-] welpwelp|8 years ago|reply
Is there a chance I could've been compromised in any way? I'm guessing they couldn't have gotten much more than my IP address, maybe some cookies, all my passwords, private life?
[+] [-] rodionos|8 years ago|reply
[+] [-] mariusmg|8 years ago|reply
[+] [-] partycoder|8 years ago|reply
[+] [-] welpwelp|8 years ago|reply
[+] [-] m103forme|8 years ago|reply
[+] [-] lihan|8 years ago|reply
[+] [-] logicallee|8 years ago|reply
It takes no more than 20 minutes to prototype and then approximately 1 day to fully test the final solution that is necessary on their end to keep compromised emails from being fully compromised addresses forever, without any chance for you to ever know at any point in the future where mail REALLY comes from. Here is a description:
1 - Currently they (Google) correctly do 99% by allowing you to type a + after your email address to create a new inbox that is marked in a special way. For example if your address is [email protected] then you can give the company [email protected] when you sign up - that inbox goes to you and when you start receicing spam in the future to "jsmith747+docusign" you can tell how they got it. The phishing mails associated with this breach would have gone to the same place.
2. The one and only problem with this, which currently has a "security through obscurity" solution, is that anyone can run a regex and remove +docusign to get at the primary, main inbox: [email protected]
3. The full and complete solution is to allow me to create a new inbox in Gmail through a single step, for example "j45rsdfjdocusign" which is linked to jsmith747 in a single direction. Sending mail is not necessary. This must be enabled through the Gmail interface for signed-in users who wish to create a new inbox. They must be able to generate an inbox there, which thereafter goes to the inbox.
4. Spammers have no way to programmatically get the original underlying address when going through a list. When they get to j45rsdfjdocusign there is no regex they can apply to get the original.
5. If in the future j45rsdfjdocusign starts getting spammed, etc, you can add a filter.
There's no special authentication around it, anyone signed into their inbox should be able to do do it. They already have the infrastructure up for it around their + coding shceme.
To emphasize how important it is, here is a comment from this thread:
>The phishing emails had the color scheme changed, making them very phony and easy to classify.
Today. Under the current status quo, if in 48 months a much more legitimate-looking mail is sent to any of the same addresses, none of the recipients have any way to know the source of those addresses.
However, after solving this security issue, in 48 months anyone receiving even a very convincing phishing email could know instantly "oh, that is that compromised docusign account" -- that is, if they haven't taken a moment to redirect that inbox to the trash already via a filter.
I urge Google, who has very talented engineers, to implement the correct solution today. Don't wait. You won't get a better example of how important this is, than what's been going on. There are no policy implications as you already do it via the + trick.
I hope you go the extra mile and add a small step to finish solving the problem. Thank you.
[+] [-] pwg|8 years ago|reply
When hosting your own email on your own domain you get this benefit out of the box now, without waiting for google to add it for you.
I've been doing this for years, each different company gets a unique email address. Real easy to see who has lost track of their email database, and very easy to turn off those that turn spammy as their business declines and they get ever more desperate to generate sales from their existing "customer list"
[+] [-] throwanem|8 years ago|reply
(Of course, you can do this, quite easily, if you run your own mail domain. You need not administer an MTA - I gather you can wire up a domain you own to Google Apps or G Suite or whatever they're calling it this week.)
[+] [-] aerovistae|8 years ago|reply
[+] [-] unknown|8 years ago|reply
[deleted]
[+] [-] janwillemb|8 years ago|reply
[+] [-] stevecalifornia|8 years ago|reply