🛡 H3lium@infosec.exchange/:~# â€‹

Dropbox Sign Security Breach: Compromise of API Keys, MFA Secrets, and Hashed Passwords

Date: May 2, 2024

CVE: Not specified

Vulnerability Type: Unauthorized access and information disclosure

CWE: [[CWE-200]], [[CWE-287]], [[CWE-522]]

Sources: cybersecuritynews, DropBox advisory Blog

Issue Summary

Dropbox disclosed a significant breach on April 24th, 2024, affecting its [Dropbox Sign] service, previously known as [HelloSign]. They believe that this incident was isolated to Dropbox Sign infrastructure, and did not impact any other Dropbox products. The breach exposed sensitive customer information including API keys, MFA secrets, and hashed passwords due to unauthorized access facilitated by a compromised service account within Dropbox Sign's backend.

Technical Key Findings

The actor compromised a service account that was part of Sign’s back-end, which is a type of non-human account used to execute applications and run automated services. As such, this account had privileges to take a variety of actions within Sign’s production environment. This access was then used to breach the production environment, and access customer database. Dropbox states that Sign’s infrastructure is largely separate from other Dropbox services.

Vulnerable Products

The specific vulnerability directly impacts Dropbox Sign users, involving their names, email addresses, and other potentially sensitive data linked to their use of the service.

Impact Assessment

The breach could lead to further attacks such as impersonation or secondary phishing attacks aimed at affected users, given the exposure of email addresses and names. The compromise of API keys and MFA secrets also raises the potential for deeper system access if not immediately mitigated. Dropbox is in the process of reaching out to all users impacted by this incident who need to take action.

Patches or Workaround

Dropbox has responded by resetting passwords, logging users out of all devices, and rotating all compromised API keys and OAuth tokens to mitigate the breach and prevent further unauthorized access.

Tags

#Dropbox #API_Security #Phishing #Data_Breach #Cybersecurity

Dropbox Sign Hacked: Attackers Stolen API Keys, MFA, & Hashed Passwords

Dropbox disclosed a significant security breach affecting its electronic signature service, Dropbox Sign (formerly known as HelloSign).

Cyber Security News
May 2, 2024 at 7:32amWeb