A recent security incident involving Dropbox Sign

This is Dropbox Sign, not Dropbox. It’s a document signing product akin to Docusign, and was called Hellosign before Dropbox acquired them.<p>We are a customer of theirs at my startup, and as far as I can tell Dropbox has made very few changes since the acquisition beyond changing the branding. So I wouldn’t take this incident to be an indicator of much on the cloud-storage side of the company.

&quot;Upon further investigation, we discovered that a threat actor had accessed data including Dropbox Sign customer information such as emails, usernames, phone numbers and hashed passwords, in addition to general account settings and certain authentication information such as API keys, OAuth tokens, and multi-factor authentication.&quot;<p>hashed passwords, API keys, OAuth tokens, MFA...<p>Oh no.

&gt; Based on our investigation, a third party gained access to a Dropbox Sign automated system configuration tool. The actor compromised a service account that was part of Sign’s back-end, which is a type of non-human account used to execute applications and run automated services. As such, this account had privileges to take a variety of actions within Sign’s production environment. The threat actor then used this access to the production environment to access our customer database.<p>Not familiar with this area, how usually does it happen? Social engineering or some more &quot;technical&quot; ways?<p>Also, under normal (not hacked) circumstance, who usually would have access to these service accounts?

That&#x27;s why e2ee is key, decentralised tooling for these types of applications is the way (even if the UX is not as good yet)

I love Dropbox but stuff like this is a good reminder to re-evaluate using any service that store large amount of personal data without e2ee. I understand that partly because of block-level diffing and syncing, it&#x27;s hard to provide true e2ee for Dropbox, but it&#x27;s still a big reason why I&#x27;m having most of my stuff in iCloud Drive (with Advanced Data Protection), despite liking Dropbox much more.<p>Hope they&#x27;ll come around and add it at some point, and not just for businesses as hinted at when they acquired boxcryptor.<p>(Cryptomator and encrypted sparsebundles work great on Dropbox. Just annoying to manage)

Trying to understand some of the interplay here:<p>&gt; threat actor had accessed data including ... certain authentication information such as API keys, OAuth tokens, and multi-factor authentication.<p>&gt; If I have a Sign account linked to my Dropbox account, is my Dropbox account affected? No. Based on our investigation to date, we believe this incident was isolated to Dropbox Sign infrastructure, and did not impact any other Dropbox products.<p>If you linked your Dropbox account to a Sign account, wouldn&#x27;t Sign have had an OAuth token (or similar) with permissions to access documents in Dropbox accounts? One imagines that leaked, if everything else did. Would they have been able to detect this as a distinct access pattern from someone, say, choosing a file to sign via the Sign interface?

Dropbox was breached also around 2012.

&gt; For those who received or signed a document through Dropbox Sign, but never created an account, email addresses and names were also exposed.<p>So they also leaked data of people who are not their customers, and who never agreed to have their information collected.<p>I doubt that flies under the GDPR.

I am confused about Dropbox Sign&#x27;s pricing model.<p>Why are they charging per-user? What exactly does that mean? A company will have one singular account and send documents to non-Dropbox affiliated entities, who aren&#x27;t classified as users.

At least it&#x27;s a hack this time, it&#x27;s not like when they forgot to enable authentication and you could sign-in to any Dropbox just by entering the e-mail.<p><a href="https:&#x2F;&#x2F;techcrunch.com&#x2F;2011&#x2F;06&#x2F;20&#x2F;dropbox-security-bug-made-passwords-optional-for-four-hours&#x2F;" rel="nofollow">https:&#x2F;&#x2F;techcrunch.com&#x2F;2011&#x2F;06&#x2F;20&#x2F;dropbox-security-bug-made-...</a>

&gt; We didn’t live up to that standard here, and we’re deeply sorry for the impact it caused our customers.<p>This might be the first time a large company has actually apologised and admitted some fault. Colour me shocked.

good reminder to enable 2fa on my dropbox account. Whoops.

So, Dropbox failed to inform the affected customers?