Dropbox reports that a hacker has gained unauthorized access to systems for the Sign program, formerly HelloSign. The attackers had access to various personal data, but not to signatures. Those affected will be informed by email.
The company writes that the cyber attack took place on April 24, during which hackers gained access to the 'production environment' of Dropbox Sign. Through an automated system configuration tool, the third party gained access to the program's backend with a compromised 'non-human account'.
Depending on how users interacted with Dropbox Sign, various pieces of personal data may have been compromised. For example, users without an account had access to their email addresses and names. Users with an account also had possible unauthorized access to telephone numbers, hashed passwords, API keys and authentication tokens. Dropbox emphasizes that this purely concerns account information, not content created in Sign via these accounts, including, for example, digital signatures and documents.
The company has automatically reset passwords and requests API customers for new API generate keys. Also, users using multi-factor authentication will need to reset this feature.
Leave a Reply
You must be logged in to post a comment.