This is Dropbox Sign, not Dropbox. It’s a document signing product akin to Docusign, and was called Hellosign before Dropbox acquired them.
We are a customer of theirs at my startup, and as far as I can tell Dropbox has made very few changes since the acquisition beyond changing the branding. So I wouldn’t take this incident to be an indicator of much on the cloud-storage side of the company.
Acquired in 2022? IMO that's enough time to bring their service up to the same security standard as the rest of their services, assuming it's a priority.
Google and others normally have a 6 month grace period for bug bounty reports in acquisitions.
We’ve been with hellosign for years and Dropbox has done a great job of stabilizing them. I will tell you that they have put in a ton of ops work to keep the platform up more consistently.
It should also be a reminder for Dropbox that acquiring a product then allowing it to languish risking security vulnerabilities -- will, appropriately, have negative brand perception implications that affect your main product too.
"Upon further investigation, we discovered that a threat actor had accessed data including Dropbox Sign customer information such as emails, usernames, phone numbers and hashed passwords, in addition to general account settings and certain authentication information such as API keys, OAuth tokens, and multi-factor authentication."
I use Dropbox Sign API, so a little fearful our private data was accessed.
API keys were leaked as part of this hack. It's unclear from press release if hackers used the API keys to access data/documents of customers.
April 24th they became aware of issue, reporting it over a week later. I'd also be curious on how long this problem went on before being detected on April 24?
> Based on our investigation, a third party gained access to a Dropbox Sign automated system configuration tool. The actor compromised a service account that was part of Sign’s back-end, which is a type of non-human account used to execute applications and run automated services. As such, this account had privileges to take a variety of actions within Sign’s production environment. The threat actor then used this access to the production environment to access our customer database.
Not familiar with this area, how usually does it happen? Social engineering or some more "technical" ways?
Also, under normal (not hacked) circumstance, who usually would have access to these service accounts?
The credentials for service accounts are generally available to a system admin but I think in most cases it would be a strange request to ask for them, so not a strong vector for social engineering.
A service account is used to give limited permissions on one system to another system. Normally only that system would need access to them, not any human.
Their main benefit is that, since no person is trying to do their day job here, the account can be locked down to precisely the permissions it needs. The reality is that service accounts are usually given extremely permissive access initially and then forgotten about. This makes them juicy targets for attackers.
I really recommend listening to the Darknet Diaries podcast (available on Spotify at least). Really high-quality interviews with both ex and current hackers, cybersecurity professionals etc.
I love Dropbox but stuff like this is a good reminder to re-evaluate using any service that store large amount of personal data without e2ee. I understand that partly because of block-level diffing and syncing, it's hard to provide true e2ee for Dropbox, but it's still a big reason why I'm having most of my stuff in iCloud Drive (with Advanced Data Protection), despite liking Dropbox much more.
Hope they'll come around and add it at some point, and not just for businesses as hinted at when they acquired boxcryptor.
(Cryptomator and encrypted sparsebundles work great on Dropbox. Just annoying to manage)
I used to love Dropbox, then they limited devices and storage so much it was barely worth it, and spamming me with nag popups all day to upgrade because my storage was near full sealed the deal and I just started using OneDrive (not much better but it's integeated and convenient, probably going to just go foss with a home server eventually). Another sad downfall of a once good company.
> threat actor had accessed data including ... certain authentication information such as API keys, OAuth tokens, and multi-factor authentication.
> If I have a Sign account linked to my Dropbox account, is my Dropbox account affected? No. Based on our investigation to date, we believe this incident was isolated to Dropbox Sign infrastructure, and did not impact any other Dropbox products.
If you linked your Dropbox account to a Sign account, wouldn't Sign have had an OAuth token (or similar) with permissions to access documents in Dropbox accounts? One imagines that leaked, if everything else did. Would they have been able to detect this as a distinct access pattern from someone, say, choosing a file to sign via the Sign interface?
That was when i stopped using the cloud for storing personal stuff.
Fast forward a decade and i've more than had my fill of self hosting stuff, so a couple of years ago i went all in on the cloud again, though with a bit of a different approach.
Stuff that is not really sensitive is uploaded "as is". Yes, that includes our photos. While i don't want our photo library to be "public domain", there is nothing there of particular interest to anybody but my family and I.
For sensitive stuff i use Cryptomator to end to end encrypt data before uploading them to the cloud. It has desktop and mobile clients that allows me transparent access to my encrypted files on the go.
In the grand scheme of things, expecting your name and email address to really stay private is not all that reasonable. You probably gave them to the person who then used Dropbox Sign to send you a document. If you were really worried you could have used a throwaway account. The old saying is, once you tell someone, it's no longer a secret.
Why are they charging per-user? What exactly does that mean? A company will have one singular account and send documents to non-Dropbox affiliated entities, who aren't classified as users.
At least it's a hack this time, it's not like when they forgot to enable authentication and you could sign-in to any Dropbox just by entering the e-mail.
Seems like they got the 2FA keys as well[0], so I'm not sure how useful this is in this context. 2FA seems it might be more useful where it's a different site and you've reused the password or had it phished, than in this case where the site is compromised.
I'm still unclear how much I'm impacted. I've used Dropbox Sign / HelloSign but always with my dropbox account. Resetting password and 2FA anyway, because why not.
dml2135|1 year ago
We are a customer of theirs at my startup, and as far as I can tell Dropbox has made very few changes since the acquisition beyond changing the branding. So I wouldn’t take this incident to be an indicator of much on the cloud-storage side of the company.
EE84M3i|1 year ago
Google and others normally have a 6 month grace period for bug bounty reports in acquisitions.
Neener54|1 year ago
jrochkind1|1 year ago
chenxi9649|1 year ago
hashed passwords, API keys, OAuth tokens, MFA...
Oh no.
tyrelb|1 year ago
April 24th they became aware of issue, reporting it over a week later. I'd also be curious on how long this problem went on before being detected on April 24?
I suppose more will come out in the coming days..
meindnoch|1 year ago
thrdbndndn|1 year ago
Not familiar with this area, how usually does it happen? Social engineering or some more "technical" ways?
Also, under normal (not hacked) circumstance, who usually would have access to these service accounts?
couchand|1 year ago
A service account is used to give limited permissions on one system to another system. Normally only that system would need access to them, not any human.
Their main benefit is that, since no person is trying to do their day job here, the account can be locked down to precisely the permissions it needs. The reality is that service accounts are usually given extremely permissive access initially and then forgotten about. This makes them juicy targets for attackers.
l33tman|1 year ago
fileseeder|1 year ago
artdigital|1 year ago
Hope they'll come around and add it at some point, and not just for businesses as hinted at when they acquired boxcryptor.
(Cryptomator and encrypted sparsebundles work great on Dropbox. Just annoying to manage)
Flimm|1 year ago
https://blog.dropbox.com/topics/company/new-solutions-to-sec...
jimmaswell|1 year ago
reddalo|1 year ago
[1] https://proton.me/drive
unknown|1 year ago
[deleted]
btown|1 year ago
> threat actor had accessed data including ... certain authentication information such as API keys, OAuth tokens, and multi-factor authentication.
> If I have a Sign account linked to my Dropbox account, is my Dropbox account affected? No. Based on our investigation to date, we believe this incident was isolated to Dropbox Sign infrastructure, and did not impact any other Dropbox products.
If you linked your Dropbox account to a Sign account, wouldn't Sign have had an OAuth token (or similar) with permissions to access documents in Dropbox accounts? One imagines that leaked, if everything else did. Would they have been able to detect this as a distinct access pattern from someone, say, choosing a file to sign via the Sign interface?
aborsy|1 year ago
8fingerlouie|1 year ago
Fast forward a decade and i've more than had my fill of self hosting stuff, so a couple of years ago i went all in on the cloud again, though with a bit of a different approach.
Stuff that is not really sensitive is uploaded "as is". Yes, that includes our photos. While i don't want our photo library to be "public domain", there is nothing there of particular interest to anybody but my family and I.
For sensitive stuff i use Cryptomator to end to end encrypt data before uploading them to the cloud. It has desktop and mobile clients that allows me transparent access to my encrypted files on the go.
gregoriol|1 year ago
sorbusherra|1 year ago
latexr|1 year ago
So they also leaked data of people who are not their customers, and who never agreed to have their information collected.
I doubt that flies under the GDPR.
SoftTalker|1 year ago
polski-g|1 year ago
Why are they charging per-user? What exactly does that mean? A company will have one singular account and send documents to non-Dropbox affiliated entities, who aren't classified as users.
rvnx|1 year ago
https://techcrunch.com/2011/06/20/dropbox-security-bug-made-...
belter|1 year ago
jwilk|1 year ago
https://news.ycombinator.com/item?id=2678576 (46 comments)
renegade-otter|1 year ago
MARK1942|1 year ago
[deleted]
angela-misan|1 year ago
[deleted]
Borgorg|1 year ago
[deleted]
bilekas|1 year ago
This might be the first time a large company has actually apologised and admitted some fault. Colour me shocked.
virtue3|1 year ago
vertis|1 year ago
I'm still unclear how much I'm impacted. I've used Dropbox Sign / HelloSign but always with my dropbox account. Resetting password and 2FA anyway, because why not.
[0]: They're asking people to reset the 2FA.
chrisjj|1 year ago