🛡 H3lium@infosec.exchange/:~# :blinking_cursor:<p><strong>Dropbox Sign Security Breach: Compromise of API Keys, MFA Secrets, and Hashed Passwords</strong></p><p><strong>Date</strong>: May 2, 2024<br><br><strong>CVE</strong>: Not specified<br><br><strong>Vulnerability Type</strong>: Unauthorized access and information disclosure<br><br><strong>CWE</strong>: [[CWE-200]], [[CWE-287]], [[CWE-522]]<br><br><strong>Sources</strong>: <a href="https://cybersecuritynews.com/dropbox-sign-hacked/" rel="nofollow noopener" target="_blank">cybersecuritynews</a>, <a href="https://sign.dropbox.com/blog/a-recent-security-incident-involving-dropbox-sign" rel="nofollow noopener" target="_blank">DropBox advisory Blog</a></p><p><strong>Issue Summary</strong></p><p>Dropbox disclosed a significant breach on April 24th, 2024, affecting its [Dropbox Sign] service, previously known as [HelloSign]. They believe that this incident was isolated to Dropbox Sign infrastructure, and did not impact any other Dropbox products. The breach exposed sensitive customer information including API keys, MFA secrets, and hashed passwords due to unauthorized access facilitated by a compromised service account within Dropbox Sign's backend.</p><p><strong>Technical Key Findings</strong></p><p>The actor compromised a service account that was part of Sign’s back-end, which is a type of non-human account used to execute applications and run automated services. As such, this account had privileges to take a variety of actions within Sign’s production environment. This access was then used to breach the production environment, and access customer database. Dropbox states that Sign’s infrastructure is largely separate from other Dropbox services.</p><p><strong>Vulnerable Products</strong></p><p>The specific vulnerability directly impacts Dropbox Sign users, involving their names, email addresses, and other potentially sensitive data linked to their use of the service.</p><p><strong>Impact Assessment</strong></p><p>The breach could lead to further attacks such as impersonation or secondary phishing attacks aimed at affected users, given the exposure of email addresses and names. The compromise of API keys and MFA secrets also raises the potential for deeper system access if not immediately mitigated. Dropbox is in the process of reaching out to all users impacted by this incident who need to take action.</p><p><strong>Patches or Workaround</strong></p><p>Dropbox has responded by resetting passwords, logging users out of all devices, and rotating all compromised API keys and OAuth tokens to mitigate the breach and prevent further unauthorized access.</p><p><strong>Tags</strong></p><p><a href="https://infosec.exchange/tags/Dropbox" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Dropbox</span></a> <a href="https://infosec.exchange/tags/API_Security" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>API_Security</span></a> <a href="https://infosec.exchange/tags/Phishing" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Phishing</span></a> <a href="https://infosec.exchange/tags/Data_Breach" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Data_Breach</span></a> <a href="https://infosec.exchange/tags/Cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Cybersecurity</span></a></p>